Hi
I have to creat a total_threat_score field which will be the total of all other score fields
like
if action==allowed it should add a new field called score and add 1 to it...then if bytes_in>100000 then add +1 to that score field..
index=* sourcetype=netscreen:firewall | eval score1=1 | where byte_in>10000| eval score2=score1+1 | where bytes_out>1000 | eval score3=score2+1 | where action="allowed"
this query is not putting results for action=allowed is this the right way to do? please help
The where
command is a filter. It removes events that don't meet the condition. That means any event where bytes_in <= 10000 will not be seen by the bytes_out test. Try this query.
index=* sourcetype=netscreen:firewall action="allowed" | eval score=1 | eval score=if(bytes_in>10000, score+1,score) | eval score=if(bytes_out>1000, score+1,score) | ...