Solved: eval and coalesce return unicode list. How to sepa...

zhatsispgx · ‎09-30-2016

So when I run the following search, 'event_name' returns a list of all event_name values which match the coalesce(src_ip,host_ip). The output looks to be a python unicode list. i.e. : [u'itemnumber1',u'itemnumber2','itemnumber3'] etc.

sourcetype=suricata OR sourcetype=nessus_scans AND risk!=None | 
eval src_ip = coalesce(src_ip,host_ip) | 
table msg, src_ip, dst_ip, dst_port, event_name, risk

How would i make this so each 'itemnumber(n)' would return a new row, or pretty formatting so that its more readable?

sundareshr · ‎09-30-2016

Try this

 sourcetype=suricata OR sourcetype=nessus_scans AND risk!=None |  eval src_ip = coalesce(src_ip,host_ip) | makemv event_name delim="," | mvexpand event_name | table msg, src_ip, dst_ip, dst_port, event_name, risk

View solution in original post

sundareshr · ‎09-30-2016

Try this

 sourcetype=suricata OR sourcetype=nessus_scans AND risk!=None |  eval src_ip = coalesce(src_ip,host_ip) | makemv event_name delim="," | mvexpand event_name | table msg, src_ip, dst_ip, dst_port, event_name, risk

eval and coalesce return unicode list. How to separate each item into a new row?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor