Splunk Search

Combine two searches using Eval with Case statement.

abdimustafa12
New Member

Combine two searches using Eval with Case statement.

Tags (1)
0 Karma

chimell
Motivator

Hi
Try this

 sourcetype=Firewall action=allowed port=21 OR port=22 OR port=20
 | eval Direction=case((dst!="10.0.0.0/8" AND  dst!="192.168.0.0/16"),"OUTBOUND",(src!="10.0.0.0/8" AND src!="192.168.0.0/16"),"INBOUND")| iplocation dst | where Country!="United States" | stats Count by Country src dst port action Direction
0 Karma

somesoni2
SplunkTrust
SplunkTrust

Give this a try

sourcetype=Firewall action=allowed port=21 OR port=22 OR port=20
| eval Direction=case(dst!="10.0.0.0/8" AND  dst!="192.168.0.0/16","OUTBOUND",src!="10.0.0.0/8" AND src!="192.168.0.0/16","INBOUND",1=1,"Other") | where Direction!="Other" | iplocation dst | rename Country as Country_dst | iplocation src | where Country!="United States" OR Country_dst!="United States" | stats Count byCountry src dst port action Direction
0 Karma

lguinn2
Legend
sourcetype=Firewall action=allowed (port=21 OR port=22 OR port=20) 
       (dst!=10.0.0.0/8 dst!=192.168.0.0/16 ) OR (src!=10.0.0.0/8 src!=192.168.0.0/16)
| iplocation dst
| search Country!="United States"
| stats Count by Country src dst port action

This is a start - but the real problem is: how do you determine the direction? Without that information, the whole search doesn't really make sense to me.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...