Re: Why is the description field not functioning w...

mtupper · ‎03-15-2019

Below is the search string I am using. Everything works like perfect except for the description field. The field remains blank when it should hold the description value. Is it because I am not using a CIDR match? I have tried a few variances of this with no luck. The csv file is populated from an hourly report. Any input is greatly appreciated.

Thanks

index=my_index sourcetype=my_sourcetype local_orig=F action=allowed
    [| inputcsv scanning_ip.csv]
| eval duration=round(duration,2)
| eval description=case(src="123.123.123.123/25", "This is our scanner, please ignore", src="123.123.123.123/16", "This is a government scanner, please ignore")
| table _time src src_port dest dest_port duration transport service conn_state_meaning description
| rename duration as "Duration_(seconds)"
| dedup src dest_port
| sort by src _time description

woodcock · ‎03-15-2019

Try this instead:

... | eval description=case(cidrmatch("123.123.123.123/25", src), "This is our scanner, please ignore", cidrmatch("123.123.123.123/16", src), "This is a government scanner, please ignore")

Why is the description field not functioning when using eval?

AI for AppInspect

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Join the Conversation

Why is the description field not functioning when using eval?

AI for AppInspect

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

Operationalizing Entity Risk Score with Enterprise Security 8.3+