Solved: Eval and multiple logic operators

jacqu3sy · ‎09-15-2017

Hi,

Can anyone explain why the following dosent work?

....
| eval suppress=if((hour >=10 AND hour <=12, "yes","no") AND (dest="x.x.x.x"))
| where suppress="no"
...

the idea being not to produce results if the hour is between 10 - 12 AND the server equals x.x.x.x

I still want to see results produced between 10 - 12 for devices other than that server.

Thanks in advance.

cmerriman · ‎09-15-2017

try this:

| eval suppress=if((hour >=10 AND hour <=12 AND dest="x.x.x.x", "yes","no")
| search suppress="no"

gcusello · ‎09-15-2017

Hi
review the eval conditions: you have a condition out ot the condition area, try:

| eval suppress=if(hour>=10 AND hour<=12 AND dest="x.x.x.x", "yes","no")

In addition I don't like to use >= or <=, I prefer to use only > or <:

| eval suppress=if(hour>9 AND hour<13 AND dest="x.x.x.x", "yes","no")

Bye.
Giuseppe

jacqu3sy · ‎09-15-2017

thanks for that.

cmerriman · ‎09-15-2017

try this:

| eval suppress=if((hour >=10 AND hour <=12 AND dest="x.x.x.x", "yes","no")
| search suppress="no"

jacqu3sy · ‎09-15-2017

thanks, worked perfect.

Eval and multiple logic operators