supriya
Reputation: 31
nested condition in splunk
I am looking for below result.
india without scanner IP blocked
india without scanner IP nonblocked
india with scanner IP blocked
india with scanner Ip non blocked where ip1,ip2=>Scannner IP
I have tried the below one ..but it's showing only "india without scanner IP blocked" count
| eval BlockedStatus = case ( src !="ip1" OR src !="ip2.*" OR blocked=1,"india without scanner IP blocked", src !="ip1" OR src !="ip2*" OR blocked=0 ,"india without scanner IP nonblocked" ,src ="ip1" OR src ="ip2" OR blocked=1,"india with scanner IP blocked", src ="ip1" OR src ="ip2" OR blocked=0 ," india with scanner Ip non blocked ")
| stats count by eventtype,BlockedStatus
| rename eventtype as "Local Market",count as "Total Critical Events"
Upvotes: 0
Views: 299
Answers (1)
RichG
Reputation: 9936
The logic in the case statement is faulty. Just about everything will match src!=ip1 OR src!=ip2 OR blocked=1. I think some of the ORs should be ANDs and that some parentheses are needed.
Maybe this is closer to what is intended?
eval BlockedStatus = case ( src !="ip1" AND src !="ip2" AND
blocked=1,"india without scanner IP blocked", src !="ip1" AND src !="ip2" AND
blocked=0 ,"india without scanner IP nonblocked" ,(src ="ip1" OR src ="ip2")
AND blocked=1,"india with scanner IP blocked", (src ="ip1" OR src ="ip2") AND
blocked=0 ," india with scanner Ip non blocked ", 1==1, "Error")
| stats count by eventtype,BlockedStatus
| rename eventtype as "Local Market",count as "Total Critical Events"
Upvotes: 1
Related Questions
- Splunk : How to sum the values of the fields that are a result of if condition
- Assign Nested Value to Variable in Splunk
- Splunk conditional search
- how to apply multiple addition in Splunk
- How to do compound query with where clause in Splunk?
- In splunk How to apply Multiple filter on splunk
- Splunk Query to update a query
- Splunk how to combine two queries and get one answer
- Splunk query based on the results of another query
- How to combine two queries in Splunk?