Hi,
I'm having problems using mvfilter to filter out NULL strings. This is my search:
index=nmap* | eval state=mvfilter(match(dest_port_state, "open")) | eval state=mvfilter(state!=NULL) | table dest, dest_port, transport, state, app
I've looked at examples that others are using to achieve the same thing and they appear to be the same as the search I am using, however Splunk is returning the following error:
"Error in 'eval' command: The arguments to the 'mvfilter' function are invalid. "
When I enter a string in quotes such as state!="test" or values such as state!=123 I get no error... Splunk isn't recognising NULL
Any thoughts?
Thanks.
** Update **
So it seems that my approach is wrong, as taking out the NULL eval shows the open port as port 7, however looking at the RAW event, the open port is in fact 23 (telnet).
I have the following event:
Nmap scan report for 10.10.10.10
Host is up (0.0024s latency).
Scanned at 2014-07-10 17:08:07 BST for 42s
PORT STATE SERVICE
7/tcp closed echo
9/tcp closed discard
13/tcp closed daytime
21/tcp closed ftp
22/tcp closed ssh
23/tcp open telnet
After stripping my incorrect eval statements I'm back to:
index=nmap* dest_port_state="open" | table dest, dest_port, transport, dest_port_state, app
I want to write a search that will output a table showing open ports by host. I'm having problems filtering this correctly though. Any help would be appreciated!
Thanks Again.
... View more