Splunk Search

can some one help me in fixing this?

vikram1583
Explorer

how might i incorporate regex into a like eval element in a search like this. This syntax does not work

| eval product=case((signature LIKE "%Cipher%") OR (signature LIKE "%SMBv2 signing%") OR (signature LIKE "%Diffie-Hellman%") OR
(signature LIKE "%Weak Cryptographic%") OR (signature LIKE "%SHA-%") OR (signature LIKE "%SWEET32%") OR (signature LIKE "%TLS/SSL%") OR
(signature LIKE "%Certificate Is Invalid%") OR (signature LIKE "%protocol%"), "Cipher/Protocol/Cert",
signature LIKE "%Java%", "Java",
signature LIKE regex="[M][S][0-9][0-9][-][0-9][0-9][0-9]", "test",
signature LIKE "%Apache%", "Apache",
signature LIKE "%Apple%", "Apple",
signature LIKE "%Cisco%", "Cisco",
| search product=test
| dedup signature
| table signature product

Tags (1)
0 Karma
1 Solution

nickhills
Ultra Champion

You're on the right track, but the format for like and case is wrong.

| eval product=case(like(signature,"%Cipher%"), "Cipher/Protocol/Cert" , like(signature,"%Apache%"), "Apache",1=1,"Unknown")

In full:

|eval product=case(
like(signature,"%Cipher%") , "Cipher/Protocol/Cert",
like(signature,"%SMBv2 signing%"), "Cipher/Protocol/Cert",
like(signature,"%Diffie-Hellman%") , "Cipher/Protocol/Cert",
like(signature,"%Weak Cryptographic%"), "Cipher/Protocol/Cert",
like(signature,"%SHA-%") , "Cipher/Protocol/Cert",
like(signature,"%SWEET32%"), "Cipher/Protocol/Cert",
like(signature,"%TLS/SSL%"), "Cipher/Protocol/Cert",
like(signature,"%Certificate Is Invalid%"), "Cipher/Protocol/Cert",
like(signature,"%protocol%"), "Cipher/Protocol/Cert",
like(signature, "%Java%"), "Java",
like(signature ,"%Apache%"), "Apache",
like(signature , "%Apple%"), "Apple",
like(signature ,"%Cisco%"), "Cisco",
match(signature, "[M][S][0-9][0-9][-][0-9][0-9][0-9]"), "test",
1=1, "Unknown"
)
| search product=test
| dedup signature
| table signature product

Excessive carriage returns for clarity only

If my comment helps, please give it a thumbs up!

View solution in original post

0 Karma

nickhills
Ultra Champion

You're on the right track, but the format for like and case is wrong.

| eval product=case(like(signature,"%Cipher%"), "Cipher/Protocol/Cert" , like(signature,"%Apache%"), "Apache",1=1,"Unknown")

In full:

|eval product=case(
like(signature,"%Cipher%") , "Cipher/Protocol/Cert",
like(signature,"%SMBv2 signing%"), "Cipher/Protocol/Cert",
like(signature,"%Diffie-Hellman%") , "Cipher/Protocol/Cert",
like(signature,"%Weak Cryptographic%"), "Cipher/Protocol/Cert",
like(signature,"%SHA-%") , "Cipher/Protocol/Cert",
like(signature,"%SWEET32%"), "Cipher/Protocol/Cert",
like(signature,"%TLS/SSL%"), "Cipher/Protocol/Cert",
like(signature,"%Certificate Is Invalid%"), "Cipher/Protocol/Cert",
like(signature,"%protocol%"), "Cipher/Protocol/Cert",
like(signature, "%Java%"), "Java",
like(signature ,"%Apache%"), "Apache",
like(signature , "%Apple%"), "Apple",
like(signature ,"%Cisco%"), "Cisco",
match(signature, "[M][S][0-9][0-9][-][0-9][0-9][0-9]"), "test",
1=1, "Unknown"
)
| search product=test
| dedup signature
| table signature product

Excessive carriage returns for clarity only

If my comment helps, please give it a thumbs up!
0 Karma

vikram1583
Explorer

Thank You

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...