Re: How to set a Variable from an Eval match?

stakor · ‎07-19-2017

I am trying to set a new variable for each event, by using the eval command. Maybe I should a different command?

I want to set a variable, isImportant, by IP address. I am trying to see if it falls into two or more ranges (10.1.1.* or 10.1.2.*). If the IP is in one of those ranges, I would like to have the variable isImportant set to true, otherwise set to false.

I saw the following page:
http://docs.splunk.com/Documentation/SplunkCloud/6.6.0/SearchReference/Eval

And it has an example for using one cidr range to set isLocal. I imagine I can use the example of:

| eval isImportant=if(cidrmatch("10.1.1.0/24", clientip), "true", "false")

for one range. When I try to use two ranges, it does not work.

| eval isImportant=if((cidrmatch("10.1.1.0/24", clientip)) OR (cidrmatch("10.1.2.0/24", clientip)))

The second example does not work.

Is there a way to combine conditions into the eval?

somesoni2 · ‎07-19-2017

You just specified the condition in if condition but no if-true and if-false actions.

richgalloway · ‎07-19-2017

Have you tried | eval isImportant=if((cidrmatch("10.1.1.0/24", clientip)) OR (cidrmatch("10.1.2.0/24", clientip)), "true", "false")?

---
If this reply helps you, Karma would be appreciated.

stakor · ‎07-19-2017

This works. And I think would be my first choice of solution. Not sure if I can accept this as the solution or not though.

somesoni2 · ‎07-19-2017

Now you should be.

cpetterborg · ‎07-19-2017

Try:

| makeresults | eval clientip="10.1.3.4" | eval isImportant=if(((cidrmatch("10.1.1.0/24", clientip)) OR (cidrmatch("10.1.2.0/24", clientip))), "true", "false")

Works with 10.1.1.4 and 10.1.2.4 properly, so you can try that.

How to set a Variable from an Eval match?

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...