Hi,
I'm having problems using mvfilter to filter out NULL strings. This is my search:
index=nmap* | eval state=mvfilter(match(dest_port_state, "open")) | eval state=mvfilter(state!=NULL) | table dest, dest_port, transport, state, app
I've looked at examples that others are using to achieve the same thing and they appear to be the same as the search I am using, however Splunk is returning the following error:
"Error in 'eval' command: The arguments to the 'mvfilter' function are invalid. "
When I enter a string in quotes such as state!="test"
or values such as state!=123
I get no error... Splunk isn't recognising NULL
Any thoughts?
Thanks.
** Update **
So it seems that my approach is wrong, as taking out the NULL eval shows the open port as port 7, however looking at the RAW event, the open port is in fact 23 (telnet).
I have the following event:
Nmap scan report for 10.10.10.10
Host is up (0.0024s latency).
Scanned at 2014-07-10 17:08:07 BST for 42s
PORT STATE SERVICE
7/tcp closed echo
9/tcp closed discard
13/tcp closed daytime
21/tcp closed ftp
22/tcp closed ssh
23/tcp open telnet
After stripping my incorrect eval statements I'm back to:
index=nmap* dest_port_state="open" | table dest, dest_port, transport, dest_port_state, app
I want to write a search that will output a table showing open ports by host. I'm having problems filtering this correctly though. Any help would be appreciated!
Thanks Again.
This syntax works for me.
...| eval state=mvfilter(state!="")
Have a look at this runanywhere query. (there is one null value in both Name and Age field)
|gentimes start=-1 | eval to="A:30 B:40 C: D:45 :50" | table to | makemv to | mvexpand to | rex field=to "(?<Name>.*):(?<age>.*)" | stats list(Name) as Name list(age) as Age | eval cName=mvcount(Name) | eval cAge=mvcount(Age) | eval Name1=mvfilter(Name!="")| eval Age1=mvfilter(Age!="") | eval cName1=mvcount(Name1) | eval cAge1=mvcount(Age1)
Update
There are 4 multivalued field and the filter is being applied on only one, hence the output is not correct. Try this
index=nmap* dest_port_state="open" | table dest, dest_port, transport, dest_port_state, app | eval temp=mvzip(mvzip(mvzip(dest_port,transport,"#"),dest_port_state,"#"),app,"#") | eval temp=mvfilter(match(temp,"#open#")) | rex field=temp "(?<dest_port>.*)#(?<transport>.*)#(?<dest_port_state>.*)#(?<app>.*)" | fields - temp
The documentation for mvfilter
seems to be incorrrect. I get the same error message as the original poster:
Error in 'eval' command: The arguments to the 'mvfilter' function are invalid.
when I use mvfilter
like this:
| eval SessionEndTime = mvfilter (SessionEndTime != NULL)
Using null()
instead of NULL
does not work either; it gives me the error:
Error in 'eval' command: Typechecking failed. The '!=' operator received different types.
What does seem to work is putting NULL
in quotes like this:
| eval SessionEndTime = mvfilter (SessionEndTime != "NULL")
This syntax works for me.
...| eval state=mvfilter(state!="")
Have a look at this runanywhere query. (there is one null value in both Name and Age field)
|gentimes start=-1 | eval to="A:30 B:40 C: D:45 :50" | table to | makemv to | mvexpand to | rex field=to "(?<Name>.*):(?<age>.*)" | stats list(Name) as Name list(age) as Age | eval cName=mvcount(Name) | eval cAge=mvcount(Age) | eval Name1=mvfilter(Name!="")| eval Age1=mvfilter(Age!="") | eval cName1=mvcount(Name1) | eval cAge1=mvcount(Age1)
Update
There are 4 multivalued field and the filter is being applied on only one, hence the output is not correct. Try this
index=nmap* dest_port_state="open" | table dest, dest_port, transport, dest_port_state, app | eval temp=mvzip(mvzip(mvzip(dest_port,transport,"#"),dest_port_state,"#"),app,"#") | eval temp=mvfilter(match(temp,"#open#")) | rex field=temp "(?<dest_port>.*)#(?<transport>.*)#(?<dest_port_state>.*)#(?<app>.*)" | fields - temp
Thanks! I added a minor tweak by renaming the fields as it was only working on the first event, then reverting back to showing all port states (open/closed/filtered). Great idea of using mvzip to stitch the fields together then using rex. Appreciate your help, thanks!
Try the updated answer.
Hi, thanks again for the response.
Although this does not return an eval error, it does not produce the desired output. The data returned looks like:
dest dest_port transport state app
10.10.10.10 7 tcp open echo
9 tcp discard
13 tcp daytime
21 tcp ftp
22 tcp ssh
23 tcp telnet
The raw log indicates all ports are closed apart from telnet (port 23).
Thanks for the response. Doesn't work I'm afriad. Hmm.
Try using null() instead of NULL.