I have a table output that has a Source Address and a Destination Address. I would like to add a column to the table titled Direction and populate the column for each event based on the Source Address. If the Source Address is one of our internal IPs the Direction would be Outbound. If the Source Address was an external IP then the Direction would be Inbound. We have splunk 5.0.2.
When I use:
| eval Direction= if(SourceAddress==”10.*”,”Outbound”,”Inbound”) or
| eval Direction =case(SourceAddress==”10.*”,”Outbound”,”Inbound”)
I get the error message "Error in 'eval' command: The expression is malformed. An unexpected character is reached at '”10.*”,”Outbound”,”Inbound”)'."
Any help would be appreciated.
The first eval
should work syntactically at least, though it will probably not work the way you want. What you're doing there is tell Splunk to compare the SourceAddress value to the literal string "10.*
" which I expect you will never have as a value. If you want to do wildcarding, you will need to use the match()
function instead. match
uses regex, so it would be something like this:
| eval Direction=if(match(SourceAddress,"^10\."),"Outbound","Inbound")
Or for that matter, because this is an IP address you could make use of cidrmatch
:
| eval Direction=if(cidrmatch("10.0.0.0/24",SourceAddress),"Outbound","Inbound")
As for your second eval
, this is where you're getting the error - you're supplying an odd amount of arguments to case
. case
expects pairs consisting of a boolean test and a result in case this test is true. If you want to end your case
statement with a "default" kind of value, you can't just put it there on its own, you need to include a test that will always yield true. 1=1
for instance.
Awesome! Please mark my answer as accepted if it solved your problem. Thanks.
Thanks! The change works and your explanation helped. I appreciate it.