Why is the description field not functioning when ...

mtupper · ‎03-15-2019

Below is the search string I am using. Everything works like perfect except for the description field. The field remains blank when it should hold the description value. Is it because I am not using a CIDR match? I have tried a few variances of this with no luck. The csv file is populated from an hourly report. Any input is greatly appreciated.

Thanks

index=my_index sourcetype=my_sourcetype local_orig=F action=allowed
    [| inputcsv scanning_ip.csv]
| eval duration=round(duration,2)
| eval description=case(src="123.123.123.123/25", "This is our scanner, please ignore", src="123.123.123.123/16", "This is a government scanner, please ignore")
| table _time src src_port dest dest_port duration transport service conn_state_meaning description
| rename duration as "Duration_(seconds)"
| dedup src dest_port
| sort by src _time description

woodcock · ‎03-15-2019

Try this instead:

... | eval description=case(cidrmatch("123.123.123.123/25", src), "This is our scanner, please ignore", cidrmatch("123.123.123.123/16", src), "This is a government scanner, please ignore")

Why is the description field not functioning when using eval?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation