I am doing a search on two sourcetypes and looking for data that matches multiple parts of a field called method.
The two sourcetypes and first eval/case function work properly.
The second function fails if I add any more to the if statement with the AND operation.<--fails as in does not show any data.
The last part works with the stats/path if I remove the if statement that is causing trouble.
sourcetype="A" OR sourcetype="B"
| eval HOST=case(sourcetype="A",host,sourcetype="B",host2)
| eval foo=if((method="X" AND method="Y" ...), "Suspect", null())
| stats values(foo) count(path) as PATH by HOST
| where PATH>=10
See if this works for you
sourcetype="A" OR sourcetype="B"
| eval HOST=case(sourcetype="A",host,sourcetype="B",host2)
| stats values(method) as method count(path) as PATH by host
| eval foo=if(mvfind(method,"X")>=0 AND mvfind(method,"Y")>=0, "found", "didnotfind")
| where PATH>=10
| fields - method
The eval is executed per event, so on a single event, method can never be X AND Y at the same time...?
I understand the confusion. I am not looking for a single event, rather multiple events.
i.e. A large group of events that show results by HOST, and if that HOST has events in method as X and Y it displays the data.
Essentially, I am looking for a pattern and displaying results when that pattern is found.
Is this a clearer explanation?
The expression method="X" AND method="Y"
will never be true as method can be either X or Y in same event.
If you're looking to match that field method contains X and Y, then try like this
sourcetype="A" OR sourcetype="B"
| eval HOST=case(sourcetype="A",host,sourcetype="B",host2)
| eval foo=if((match(method,"X") AND match(method,"Y")), "Suspect", null())
| stats values(foo) count(path) as PATH by HOST
| where PATH>=10
Since method is a single field, you should try OR
instead of AND
. The AND
condition will not be true,
The problem is I need that field to match on every part I AND.
i.e. method must equal X,Y,Z,... to trigger/pull results.
Is method extracted as a multi-value field? If yes, try this
... | eval foo=if(isnotnull(mvfind(method,"X")) AND isnotnull(mvfind(method,"Y"))...