Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Simple search with eval. Why is no table shown?

alex1895
Path Finder
‎02-19-2016 10:32 AM

Here is the search:

index=* sourcetype=Vectra-CEF vendor="Vectra Networks" cat!="HOST SCORING" |eval check_cat=case(cat="Command & Control" OR cat="Reconnaissance" OR cat="Lateral Movement" OR cat="Botnet Activity" OR cat="Exfiltration","true")| table cat | where check_cat="true"

I get events back from the search,t but the table is not built up.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎02-19-2016 12:18 PM

The table command you used is limiting the fields to just cat, hence your where clause is failing as the field check_cat is not available. Try like this

index=* sourcetype=Vectra-CEF vendor="Vectra Networks" cat!="HOST SCORING" |eval check_cat=case(cat="Command & Control" OR cat="Reconnaissance" OR cat="Lateral Movement" OR cat="Botnet Activity" OR cat="Exfiltration","true") | where check_cat="true" 
 | table cat

OR more efficient method

  index=* sourcetype=Vectra-CEF vendor="Vectra Networks" cat="Command & Control" OR cat="Reconnaissance" OR cat="Lateral Movement" OR cat="Botnet Activity" OR cat="Exfiltration"   | table cat

View solution in original post

0 Karma
Reply
Solved! Jump to solution

wmyersas
Builder
‎03-03-2020 05:44 AM

Why use case() here instead of if()?

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎03-03-2020 01:46 PM

there is no else operation.

0 Karma
Reply
Solved! Jump to solution

wmyersas
Builder
‎03-04-2020 07:16 AM

Sure there is: |eval check_cat=if(cat="Command & Control" OR cat="Reconnaissance" OR cat="Lateral Movement" OR cat="Botnet Activity" OR cat="Exfiltration","true",null())

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎02-19-2016 12:18 PM

The table command you used is limiting the fields to just cat, hence your where clause is failing as the field check_cat is not available. Try like this

index=* sourcetype=Vectra-CEF vendor="Vectra Networks" cat!="HOST SCORING" |eval check_cat=case(cat="Command & Control" OR cat="Reconnaissance" OR cat="Lateral Movement" OR cat="Botnet Activity" OR cat="Exfiltration","true") | where check_cat="true" 
 | table cat

OR more efficient method

  index=* sourcetype=Vectra-CEF vendor="Vectra Networks" cat="Command & Control" OR cat="Reconnaissance" OR cat="Lateral Movement" OR cat="Botnet Activity" OR cat="Exfiltration"   | table cat
0 Karma
Reply
Solved! Jump to solution

alex1895
Path Finder
‎02-19-2016 12:53 PM

Thanks both searches work. I realized that the Boolean expressions are case sensitive thats why my searches also did not work.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎02-19-2016 01:24 PM

Yes, when used in EVAL/WHERE strings are case-sensitive, but if used in base search OR SEARCH command, they are not.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎02-19-2016 10:59 AM

Does Verbose Mode show events with the 'cat' field having the specified values?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

alex1895
Path Finder
‎02-19-2016 11:52 AM

Yes, the 'cat' field has specified values. But for some reason the eval filter does not work. The events also show cat field values excluded in the eval filter.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...