Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Establishing a direction for a connection

Akita881
New Member
‎06-12-2013 08:45 AM

I have a table output that has a Source Address and a Destination Address. I would like to add a column to the table titled Direction and populate the column for each event based on the Source Address. If the Source Address is one of our internal IPs the Direction would be Outbound. If the Source Address was an external IP then the Direction would be Inbound. We have splunk 5.0.2.
When I use:

| eval Direction= if(SourceAddress==”10.*”,”Outbound”,”Inbound”)    or   
| eval Direction =case(SourceAddress==”10.*”,”Outbound”,”Inbound”)

I get the error message "Error in 'eval' command: The expression is malformed. An unexpected character is reached at '”10.*”,”Outbound”,”Inbound”)'."
Any help would be appreciated.

Tags (1)
0 Karma
Reply

Ayn
Legend
‎06-12-2013 10:59 AM

The first eval should work syntactically at least, though it will probably not work the way you want. What you're doing there is tell Splunk to compare the SourceAddress value to the literal string "10.*" which I expect you will never have as a value. If you want to do wildcarding, you will need to use the match() function instead. match uses regex, so it would be something like this:

| eval Direction=if(match(SourceAddress,"^10\."),"Outbound","Inbound")

Or for that matter, because this is an IP address you could make use of cidrmatch:

| eval Direction=if(cidrmatch("10.0.0.0/24",SourceAddress),"Outbound","Inbound")

As for your second eval, this is where you're getting the error - you're supplying an odd amount of arguments to case. case expects pairs consisting of a boolean test and a result in case this test is true. If you want to end your case statement with a "default" kind of value, you can't just put it there on its own, you need to include a test that will always yield true. 1=1 for instance.

0 Karma
Reply

Ayn
Legend
‎06-12-2013 01:26 PM

Awesome! Please mark my answer as accepted if it solved your problem. Thanks.

0 Karma
Reply

Akita881
New Member
‎06-12-2013 12:38 PM

Thanks! The change works and your explanation helped. I appreciate it.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...