- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to write a search to output a table showing op...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I'm having problems using mvfilter to filter out NULL strings. This is my search:
index=nmap* | eval state=mvfilter(match(dest_port_state, "open")) | eval state=mvfilter(state!=NULL) | table dest, dest_port, transport, state, app
I've looked at examples that others are using to achieve the same thing and they appear to be the same as the search I am using, however Splunk is returning the following error:
"Error in 'eval' command: The arguments to the 'mvfilter' function are invalid. "
When I enter a string in quotes such as state!="test" or values such as state!=123 I get no error... Splunk isn't recognising NULL
Any thoughts?
Thanks.
** Update **
So it seems that my approach is wrong, as taking out the NULL eval shows the open port as port 7, however looking at the RAW event, the open port is in fact 23 (telnet).
I have the following event:
Nmap scan report for 10.10.10.10
Host is up (0.0024s latency).
Scanned at 2014-07-10 17:08:07 BST for 42s
PORT STATE SERVICE
7/tcp closed echo
9/tcp closed discard
13/tcp closed daytime
21/tcp closed ftp
22/tcp closed ssh
23/tcp open telnet
After stripping my incorrect eval statements I'm back to:
index=nmap* dest_port_state="open" | table dest, dest_port, transport, dest_port_state, app
I want to write a search that will output a table showing open ports by host. I'm having problems filtering this correctly though. Any help would be appreciated!
Thanks Again.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This syntax works for me.
...| eval state=mvfilter(state!="")
Have a look at this runanywhere query. (there is one null value in both Name and Age field)
|gentimes start=-1 | eval to="A:30 B:40 C: D:45 :50" | table to | makemv to | mvexpand to | rex field=to "(?<Name>.*):(?<age>.*)" | stats list(Name) as Name list(age) as Age | eval cName=mvcount(Name) | eval cAge=mvcount(Age) | eval Name1=mvfilter(Name!="")| eval Age1=mvfilter(Age!="") | eval cName1=mvcount(Name1) | eval cAge1=mvcount(Age1)
Update
There are 4 multivalued field and the filter is being applied on only one, hence the output is not correct. Try this
index=nmap* dest_port_state="open" | table dest, dest_port, transport, dest_port_state, app | eval temp=mvzip(mvzip(mvzip(dest_port,transport,"#"),dest_port_state,"#"),app,"#") | eval temp=mvfilter(match(temp,"#open#")) | rex field=temp "(?<dest_port>.*)#(?<transport>.*)#(?<dest_port_state>.*)#(?<app>.*)" | fields - temp
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The documentation for mvfilter seems to be incorrrect. I get the same error message as the original poster:
Error in 'eval' command: The arguments to the 'mvfilter' function are invalid.
when I use mvfilter like this:
| eval SessionEndTime = mvfilter (SessionEndTime != NULL)
Using null() instead of NULL does not work either; it gives me the error:
Error in 'eval' command: Typechecking failed. The '!=' operator received different types.
What does seem to work is putting NULL in quotes like this:
| eval SessionEndTime = mvfilter (SessionEndTime != "NULL")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This syntax works for me.
...| eval state=mvfilter(state!="")
Have a look at this runanywhere query. (there is one null value in both Name and Age field)
|gentimes start=-1 | eval to="A:30 B:40 C: D:45 :50" | table to | makemv to | mvexpand to | rex field=to "(?<Name>.*):(?<age>.*)" | stats list(Name) as Name list(age) as Age | eval cName=mvcount(Name) | eval cAge=mvcount(Age) | eval Name1=mvfilter(Name!="")| eval Age1=mvfilter(Age!="") | eval cName1=mvcount(Name1) | eval cAge1=mvcount(Age1)
Update
There are 4 multivalued field and the filter is being applied on only one, hence the output is not correct. Try this
index=nmap* dest_port_state="open" | table dest, dest_port, transport, dest_port_state, app | eval temp=mvzip(mvzip(mvzip(dest_port,transport,"#"),dest_port_state,"#"),app,"#") | eval temp=mvfilter(match(temp,"#open#")) | rex field=temp "(?<dest_port>.*)#(?<transport>.*)#(?<dest_port_state>.*)#(?<app>.*)" | fields - temp
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks! I added a minor tweak by renaming the fields as it was only working on the first event, then reverting back to showing all port states (open/closed/filtered). Great idea of using mvzip to stitch the fields together then using rex. Appreciate your help, thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try the updated answer.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, thanks again for the response.
Although this does not return an eval error, it does not produce the desired output. The data returned looks like:
dest dest_port transport state app
10.10.10.10 7 tcp open echo
9 tcp discard
13 tcp daytime
21 tcp ftp
22 tcp ssh
23 tcp telnet
The raw log indicates all ports are closed apart from telnet (port 23).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the response. Doesn't work I'm afriad. Hmm.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try using null() instead of NULL.
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
