Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Simple search with eval. Why is no table shown?

alex1895
Path Finder
‎02-19-2016 10:32 AM

Here is the search:

index=* sourcetype=Vectra-CEF vendor="Vectra Networks" cat!="HOST SCORING" |eval check_cat=case(cat="Command & Control" OR cat="Reconnaissance" OR cat="Lateral Movement" OR cat="Botnet Activity" OR cat="Exfiltration","true")| table cat | where check_cat="true"

I get events back from the search,t but the table is not built up.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎02-19-2016 12:18 PM

The table command you used is limiting the fields to just cat, hence your where clause is failing as the field check_cat is not available. Try like this

index=* sourcetype=Vectra-CEF vendor="Vectra Networks" cat!="HOST SCORING" |eval check_cat=case(cat="Command & Control" OR cat="Reconnaissance" OR cat="Lateral Movement" OR cat="Botnet Activity" OR cat="Exfiltration","true") | where check_cat="true" 
 | table cat

OR more efficient method

  index=* sourcetype=Vectra-CEF vendor="Vectra Networks" cat="Command & Control" OR cat="Reconnaissance" OR cat="Lateral Movement" OR cat="Botnet Activity" OR cat="Exfiltration"   | table cat

View solution in original post

0 Karma
Reply
Solved! Jump to solution

wmyersas
Builder
‎03-03-2020 05:44 AM

Why use case() here instead of if()?

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎03-03-2020 01:46 PM

there is no else operation.

0 Karma
Reply
Solved! Jump to solution

wmyersas
Builder
‎03-04-2020 07:16 AM

Sure there is: |eval check_cat=if(cat="Command & Control" OR cat="Reconnaissance" OR cat="Lateral Movement" OR cat="Botnet Activity" OR cat="Exfiltration","true",null())

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎02-19-2016 12:18 PM

The table command you used is limiting the fields to just cat, hence your where clause is failing as the field check_cat is not available. Try like this

index=* sourcetype=Vectra-CEF vendor="Vectra Networks" cat!="HOST SCORING" |eval check_cat=case(cat="Command & Control" OR cat="Reconnaissance" OR cat="Lateral Movement" OR cat="Botnet Activity" OR cat="Exfiltration","true") | where check_cat="true" 
 | table cat

OR more efficient method

  index=* sourcetype=Vectra-CEF vendor="Vectra Networks" cat="Command & Control" OR cat="Reconnaissance" OR cat="Lateral Movement" OR cat="Botnet Activity" OR cat="Exfiltration"   | table cat
0 Karma
Reply
Solved! Jump to solution

alex1895
Path Finder
‎02-19-2016 12:53 PM

Thanks both searches work. I realized that the Boolean expressions are case sensitive thats why my searches also did not work.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎02-19-2016 01:24 PM

Yes, when used in EVAL/WHERE strings are case-sensitive, but if used in base search OR SEARCH command, they are not.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎02-19-2016 10:59 AM

Does Verbose Mode show events with the 'cat' field having the specified values?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

alex1895
Path Finder
‎02-19-2016 11:52 AM

Yes, the 'cat' field has specified values. But for some reason the eval filter does not work. The events also show cat field values excluded in the eval filter.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...