Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to get results by matching value with a new field extracted in the same search by using eval ?

ranjyotiprakash
Communicator
‎04-30-2012 07:15 AM

The log Format is :

Apr 24 18:37:07 10.11.26.83 2012-04-24 06:07:09.732 -0700 barracuda WF ALER SQL_INJECTION_IN_URL 99.99.182.1 44727 99.99.83.74 80 security-policy GLOBAL DENY NONE [type="sql-injection-medium" pattern="sql-comments" token="/"] GET 99.99.83.74/index.html// HTTP "-" "Wget/1.12 (linux-gnu)" 99.99.182.1 44727 "-" "-"

The two fields in bold letters are the application_ip and application_port fields respectively. And I used the following search command to extract the two fields together in my search results in the format of application_ip:application:port.

sourcetype="firewall" |eval ip_port=application_ip+":"+application_port

But, Now I need to extract the results by matching with ip_port e.g ip_port =99.99.83.74:80 in the same search query.
How can I do this ?

Please Help...
Thanks....

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ziegfried
Influencer
‎04-30-2012 07:38 AM 
sourcetype="firewall" |eval ip_port=application_ip+":"+application_port  | search ip_port=99.99.83.74:80

or

sourcetype="firewall" |eval ip_port=application_ip+":"+application_port  | where ip_port="99.99.83.74:80"

It's way more efficient to filter in the search directly, though:

sourcetype="firewall" ip=99.99.83.74 port=80 | eval ip_port=application_ip+":"+application_port

View solution in original post

Reply
Solved! Jump to solution

ranjyotiprakash
Communicator
‎04-30-2012 10:39 PM

Thanks a lot, sdaniels !!!

0 Karma
Reply
Solved! Jump to solution
Solution

ziegfried
Influencer
‎04-30-2012 07:38 AM 
sourcetype="firewall" |eval ip_port=application_ip+":"+application_port  | search ip_port=99.99.83.74:80

or

sourcetype="firewall" |eval ip_port=application_ip+":"+application_port  | where ip_port="99.99.83.74:80"

It's way more efficient to filter in the search directly, though:

sourcetype="firewall" ip=99.99.83.74 port=80 | eval ip_port=application_ip+":"+application_port
Reply
Solved! Jump to solution

ranjyotiprakash
Communicator
‎04-30-2012 10:38 PM

Thanks a lot, ziegfried !!!!

0 Karma
Reply
Solved! Jump to solution

sdaniels
Splunk Employee
Splunk Employee
‎04-30-2012 07:27 AM

You created the new field at search time (ip_port) that you need...now you want to only see results where it matches 99.99.83.74:80? You could add ' | where ip_port=99.99.83.74:80'. Maybe i'm missing something to your question.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...