Comments and answers for "Working with boolean operations like an arithmetic operation."
https://answers.splunk.com/answers/627695/working-with-boolean-operations-like-an-arithmetic.html
The latest comments and answers for the question "Working with boolean operations like an arithmetic operation."Comment by jrballesteros05 on jrballesteros05's comment
https://answers.splunk.com/comments/628185/view.html
Hello @FrankVl, this is exactly what I need. Thank you so much for your reply and your time.Wed, 21 Mar 2018 16:39:29 GMTjrballesteros05Comment by FrankVl on FrankVl's comment
https://answers.splunk.com/comments/627937/view.html
OR would be addition, where you need to translate any result `>1` to `1`.
For example:
| eval A = 1
| eval B = 0
| eval F = min(1,A+B)
XOR can be done with subtraction:
| eval A = 1
| eval B = 0
| eval F = abs(A-B)Tue, 20 Mar 2018 12:42:48 GMTFrankVlComment by jrballesteros05 on jrballesteros05's answer
https://answers.splunk.com/comments/627924/view.html
Hello @FrankVI. This is closer for what I want.
The AND is OK, how can implement the OR and the XOR. If I can implement only the OR it will be ok because I can simulate the XOR with AND's and OR's.Tue, 20 Mar 2018 11:43:43 GMTjrballesteros05Comment by jrballesteros05 on jrballesteros05's comment
https://answers.splunk.com/comments/627923/view.html
Hi @bangalorep, thank your for your reply and your time.
What I really want is to use [boolean math][1] in Splunk. I represented the function like Splunk did, for example:
A OR B in boolean maths is (A + B) but 1 + 1 is not 2, 1 + 1 in boolean maths is 1
A AND B in boolean maths is (A*B), in this case any value multiply by 0 is always 0.
but if I want to represent the function:
A = 1
B = 1
C = 1
D = 1
F = (A * B) * (C + D) or in Splunk syntax
F = (A AND B) AND (C OR D)
I cannot do it in Splunk. If I do it like arithmetic operators I will have:
F = (1 * 1) * ( 1 + 1) = 2
But I want the boolean math, I only want a result like 0 or 1, nothing else:
F = (1 * 1) * (1 + 1) = 1 or
F = (1 AND 1) AND (1 OR 1) = 1
Yes, I know I can use the where syntax but I want to make boolean operations in Splunk like I do a single arithmetic operation.
[1]: https://plato.stanford.edu/entries/boolalg-math/Tue, 20 Mar 2018 11:41:00 GMTjrballesteros05Answer by FrankVl
https://answers.splunk.com/answering/627922/view.html
If you represent your boolean values as 1 and 0, you could also apply normal arithmetic operators, to calculate the result, right?
Especially with an AND that is easy, as it can be implemented with multiplication and the negation can be implemented as `abs(B-1)`:
| eval A = 1
| eval B = 0
| eval F = A * abs(B-1)Tue, 20 Mar 2018 11:29:28 GMTFrankVlComment by bangalorep on bangalorep's comment
https://answers.splunk.com/comments/627916/view.html
So, what i understand is, you are going to have 4 variables (A,B,C and D) and you wantthe results for F=0 where F = A AND B AND C AND D.
could you maybe run a search like this?
| where (A=1 OR B=1 OR C=1 OR D=1)
instead of searching for `F=0`
| makeresults
| eval A = 1
| eval B = 0
| eval C= 0
| eval D=1
| eval F=if(A==0 OR B==0 OR C==0 OR D==0,0,1)Tue, 20 Mar 2018 10:59:08 GMTbangalorepComment by jrballesteros05 on jrballesteros05's comment
https://answers.splunk.com/comments/627909/view.html
Hi @bangalorep. This is the macro query I did. A AND B will be a result from other conditions, but it always be a boolean value, in my case I use 0 AND 1 but it can be TRUE OR FALSE. This is the complete query I used.
inputlookup cve-vul-alienvault-lookup-usa
| eval CurrentCycle="20180201"
| eval cycle_detection_time=strptime(CurrentCycle,"%Y%m%d")
| eval Cycle1monthago = strftime(relative_time(cycle_detection_time,"@month-1month"),"%Y%m%d")
| where cycle_detection = CurrentCycle OR cycle_detection=Cycle1monthago
| eval A = if(Auth = "AuthOK" AND cycle_detection=Cycle1monthago,1,0)
| eval B = if((Auth = "AuthOK" OR Auth="NULL") AND cycle_detection=CurrentCycle,1,0)
| eventstats sum(A) as A , sum(B) as B, count by id,dest_ip
| eval F = if(A=1 AND B=0,1,0)
| where F=0
| eval IsResolved = case ((count = 2 AND cycle_detection=CurrentCycle),"Not Resolved",(count=1 AND cycle_detection=Cycle1monthago),"Resolved", count=1 AND cycle_detection=CurrentCycle,"New Vulnerability")
| fields id,dest_ip,cycle_detection,os,signature,type,cvss,cve,Resultados,IsResolved
The problem is now solved with they query I have because I only have 4 combinations of values between A AND B.
A = 0 AND B = 0
A = 0 AND B = 1
A = 1 AND B = 0
A = 1 AND B = 1
I want the result of all combinations except when A = 1 AND B = 0 so I decided to call the result as F, F will be 1 if I want to ignore the result and 0 if I want to keep it so I will have something like this:
A = 0 AND B = 0 so F = 0
A = 0 AND B = 1 so F = 0
A = 1 AND B = 0 so F = 1
A = 1 AND B = 1 so F = 0
The mathematical functions which represents what I wanted is: **F = (A AND BNEGATED)** this is the same logic we use in electronic circuits. So if I receive these values in the results:
A = 1 AND B = 1
Then BNEGATED = 0 so F = (1 AND 0 ) then F = 0
if I received these values
A = 1 AND B = 0
Then BNEGATED = 1 so F = (1 AND 1) then F = 1
There are two ways (Maybe more but I don't know and I'll be able to receive any recommendation) I can solve this problem, the fist one is like the previous query:
| eval F = if(A=1 AND B=0,1,0)
| where F=0
That logic is OK because I only have two variables to compare and I only have 4 combinations available but I really want to use the boolean function like logic circuits in electronic components.
| eval NEGATEDB = if(B=0,1,0)
| eval F = A AND NEGATEDB
| where F=0
Why I want to work this way? Because in this case I only have 2 variables (A and B) and only 4 combinations but in the future I'm planning to have 4 variables (maybe more) and then I will have 16 combinations of values so I don't want to use a case, I think a function is the best way (I might be wrong). For example in the case with 3 variables I have this function:
F = B AND C AND ( A OR ANEGATED)
so when A = 1, B = 0, C= 1 I will have:
F = 0 AND 1 AND (1 OR 0) = 0 AND 1 AND 1 = 0 . This is going to be OK
if A = 1, B = 1, C =0 I will have:
F = 1 AND 1 AND (1 OR 0) = 1 AND 1 AND 1 = 1. Splunk will filter this value because I want results when F=0
In short words I want to work with Boolean values like arithmetic values:
eval V = X/t
where V >= 100
At the moment I don't know how to or if it's possible.
**I hope I did not confused anyone hehehe** and I also did not focus in A and B values, the A and B values will always be 0 or 1. Those values come from other conditionals but will be 1 or 0.Tue, 20 Mar 2018 10:33:03 GMTjrballesteros05Comment by bangalorep
https://answers.splunk.com/comments/627884/view.html
Hello! Can you please provide sample data?
Also, what inputs are A and B, that you'll be getting more than 4 combinations?Tue, 20 Mar 2018 08:24:28 GMTbangalorep