Splunk Search

can some one help me in fixing this?

vikram1583
Explorer

how might i incorporate regex into a like eval element in a search like this. This syntax does not work

| eval product=case((signature LIKE "%Cipher%") OR (signature LIKE "%SMBv2 signing%") OR (signature LIKE "%Diffie-Hellman%") OR
(signature LIKE "%Weak Cryptographic%") OR (signature LIKE "%SHA-%") OR (signature LIKE "%SWEET32%") OR (signature LIKE "%TLS/SSL%") OR
(signature LIKE "%Certificate Is Invalid%") OR (signature LIKE "%protocol%"), "Cipher/Protocol/Cert",
signature LIKE "%Java%", "Java",
signature LIKE regex="[M][S][0-9][0-9][-][0-9][0-9][0-9]", "test",
signature LIKE "%Apache%", "Apache",
signature LIKE "%Apple%", "Apple",
signature LIKE "%Cisco%", "Cisco",
| search product=test
| dedup signature
| table signature product

Tags (1)
0 Karma
1 Solution

nickhills
Ultra Champion

You're on the right track, but the format for like and case is wrong.

| eval product=case(like(signature,"%Cipher%"), "Cipher/Protocol/Cert" , like(signature,"%Apache%"), "Apache",1=1,"Unknown")

In full:

|eval product=case(
like(signature,"%Cipher%") , "Cipher/Protocol/Cert",
like(signature,"%SMBv2 signing%"), "Cipher/Protocol/Cert",
like(signature,"%Diffie-Hellman%") , "Cipher/Protocol/Cert",
like(signature,"%Weak Cryptographic%"), "Cipher/Protocol/Cert",
like(signature,"%SHA-%") , "Cipher/Protocol/Cert",
like(signature,"%SWEET32%"), "Cipher/Protocol/Cert",
like(signature,"%TLS/SSL%"), "Cipher/Protocol/Cert",
like(signature,"%Certificate Is Invalid%"), "Cipher/Protocol/Cert",
like(signature,"%protocol%"), "Cipher/Protocol/Cert",
like(signature, "%Java%"), "Java",
like(signature ,"%Apache%"), "Apache",
like(signature , "%Apple%"), "Apple",
like(signature ,"%Cisco%"), "Cisco",
match(signature, "[M][S][0-9][0-9][-][0-9][0-9][0-9]"), "test",
1=1, "Unknown"
)
| search product=test
| dedup signature
| table signature product

Excessive carriage returns for clarity only

If my comment helps, please give it a thumbs up!

View solution in original post

0 Karma

nickhills
Ultra Champion

You're on the right track, but the format for like and case is wrong.

| eval product=case(like(signature,"%Cipher%"), "Cipher/Protocol/Cert" , like(signature,"%Apache%"), "Apache",1=1,"Unknown")

In full:

|eval product=case(
like(signature,"%Cipher%") , "Cipher/Protocol/Cert",
like(signature,"%SMBv2 signing%"), "Cipher/Protocol/Cert",
like(signature,"%Diffie-Hellman%") , "Cipher/Protocol/Cert",
like(signature,"%Weak Cryptographic%"), "Cipher/Protocol/Cert",
like(signature,"%SHA-%") , "Cipher/Protocol/Cert",
like(signature,"%SWEET32%"), "Cipher/Protocol/Cert",
like(signature,"%TLS/SSL%"), "Cipher/Protocol/Cert",
like(signature,"%Certificate Is Invalid%"), "Cipher/Protocol/Cert",
like(signature,"%protocol%"), "Cipher/Protocol/Cert",
like(signature, "%Java%"), "Java",
like(signature ,"%Apache%"), "Apache",
like(signature , "%Apple%"), "Apple",
like(signature ,"%Cisco%"), "Cisco",
match(signature, "[M][S][0-9][0-9][-][0-9][0-9][0-9]"), "test",
1=1, "Unknown"
)
| search product=test
| dedup signature
| table signature product

Excessive carriage returns for clarity only

If my comment helps, please give it a thumbs up!
0 Karma

vikram1583
Explorer

Thank You

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...