- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: can some one help me in fixing this?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
how might i incorporate regex into a like eval element in a search like this. This syntax does not work
| eval product=case((signature LIKE "%Cipher%") OR (signature LIKE "%SMBv2 signing%") OR (signature LIKE "%Diffie-Hellman%") OR
(signature LIKE "%Weak Cryptographic%") OR (signature LIKE "%SHA-%") OR (signature LIKE "%SWEET32%") OR (signature LIKE "%TLS/SSL%") OR
(signature LIKE "%Certificate Is Invalid%") OR (signature LIKE "%protocol%"), "Cipher/Protocol/Cert",
signature LIKE "%Java%", "Java",
signature LIKE regex="[M][S][0-9][0-9][-][0-9][0-9][0-9]", "test",
signature LIKE "%Apache%", "Apache",
signature LIKE "%Apple%", "Apple",
signature LIKE "%Cisco%", "Cisco",
| search product=test
| dedup signature
| table signature product
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You're on the right track, but the format for like and case is wrong.
| eval product=case(like(signature,"%Cipher%"), "Cipher/Protocol/Cert" , like(signature,"%Apache%"), "Apache",1=1,"Unknown")
In full:
|eval product=case(
like(signature,"%Cipher%") , "Cipher/Protocol/Cert",
like(signature,"%SMBv2 signing%"), "Cipher/Protocol/Cert",
like(signature,"%Diffie-Hellman%") , "Cipher/Protocol/Cert",
like(signature,"%Weak Cryptographic%"), "Cipher/Protocol/Cert",
like(signature,"%SHA-%") , "Cipher/Protocol/Cert",
like(signature,"%SWEET32%"), "Cipher/Protocol/Cert",
like(signature,"%TLS/SSL%"), "Cipher/Protocol/Cert",
like(signature,"%Certificate Is Invalid%"), "Cipher/Protocol/Cert",
like(signature,"%protocol%"), "Cipher/Protocol/Cert",
like(signature, "%Java%"), "Java",
like(signature ,"%Apache%"), "Apache",
like(signature , "%Apple%"), "Apple",
like(signature ,"%Cisco%"), "Cisco",
match(signature, "[M][S][0-9][0-9][-][0-9][0-9][0-9]"), "test",
1=1, "Unknown"
)
| search product=test
| dedup signature
| table signature product
Excessive carriage returns for clarity only
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You're on the right track, but the format for like and case is wrong.
| eval product=case(like(signature,"%Cipher%"), "Cipher/Protocol/Cert" , like(signature,"%Apache%"), "Apache",1=1,"Unknown")
In full:
|eval product=case(
like(signature,"%Cipher%") , "Cipher/Protocol/Cert",
like(signature,"%SMBv2 signing%"), "Cipher/Protocol/Cert",
like(signature,"%Diffie-Hellman%") , "Cipher/Protocol/Cert",
like(signature,"%Weak Cryptographic%"), "Cipher/Protocol/Cert",
like(signature,"%SHA-%") , "Cipher/Protocol/Cert",
like(signature,"%SWEET32%"), "Cipher/Protocol/Cert",
like(signature,"%TLS/SSL%"), "Cipher/Protocol/Cert",
like(signature,"%Certificate Is Invalid%"), "Cipher/Protocol/Cert",
like(signature,"%protocol%"), "Cipher/Protocol/Cert",
like(signature, "%Java%"), "Java",
like(signature ,"%Apache%"), "Apache",
like(signature , "%Apple%"), "Apple",
like(signature ,"%Cisco%"), "Cisco",
match(signature, "[M][S][0-9][0-9][-][0-9][0-9][0-9]"), "test",
1=1, "Unknown"
)
| search product=test
| dedup signature
| table signature product
Excessive carriage returns for clarity only
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank You
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
