the port signatures panel of the port overview dashboard is not working
The search string is:
eventtype=port_scan "Linux 2.6.32 - 3.10" | stats dc(dest_ip) as count by port_signature | where match(port_signature, replace(replace(""Linux 2.6.32 - 3.10"", "\s*OR\s*", "|"), "*", ".*")) | sort - count
The error is:
Error in 'where' command: The expression is malformed. Expected LIKE.
I get the problem just can't work out where to put the LIKE
Anyone?
Kind Regards
Peter
The problem is in your second "replace()" call. The "Linux 2.6.32 - 3.10" term should only be contained in a single set of double-quotes, not two sets.
What you have:
eventtype=port_scan "Linux 2.6.32 - 3.10" | stats dc(dest_ip) as count by port_signature | where match(port_signature,
replace(replace(""Linux 2.6.32 - 3.10"", "\s*OR\s*", "|"), "\*", ".*")) | sort - count
What it should be:
eventtype=port_scan "Linux 2.6.32 - 3.10" | stats dc(dest_ip) as count by port_signature | where match(port_signature,
replace(replace("Linux 2.6.32 - 3.10", "\s*OR\s*", "|"), "\*", ".*")) | sort - count
The problem is in your second "replace()" call. The "Linux 2.6.32 - 3.10" term should only be contained in a single set of double-quotes, not two sets.
What you have:
eventtype=port_scan "Linux 2.6.32 - 3.10" | stats dc(dest_ip) as count by port_signature | where match(port_signature,
replace(replace(""Linux 2.6.32 - 3.10"", "\s*OR\s*", "|"), "\*", ".*")) | sort - count
What it should be:
eventtype=port_scan "Linux 2.6.32 - 3.10" | stats dc(dest_ip) as count by port_signature | where match(port_signature,
replace(replace("Linux 2.6.32 - 3.10", "\s*OR\s*", "|"), "\*", ".*")) | sort - count
Thanks that works