Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
1.1k views
in Technique[技术] by (71.8m points)

nested condition in splunk

I am looking for below result.

  • india without scanner IP blocked

  • india without scanner IP nonblocked

  • india with scanner IP blocked

  • india with scanner Ip non blocked where ip1,ip2=>Scannner IP

I have tried the below one ..but it's showing only "india without scanner IP blocked" count

| eval BlockedStatus = case ( src !="ip1" OR src !="ip2.*" OR blocked=1,"india without scanner IP blocked", src !="ip1" OR src !="ip2*" OR  blocked=0 ,"india without scanner IP nonblocked" ,src ="ip1" OR src ="ip2" OR blocked=1,"india with scanner IP blocked", src ="ip1" OR src ="ip2" OR blocked=0 ," india with scanner Ip non blocked ")
| stats count by eventtype,BlockedStatus 
| rename eventtype as "Local Market",count as "Total Critical Events"

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)

The logic in the case statement is faulty. Just about everything will match src!=ip1 OR src!=ip2 OR blocked=1. I think some of the ORs should be ANDs and that some parentheses are needed.

Maybe this is closer to what is intended?

eval BlockedStatus = case ( src !="ip1" AND src !="ip2" AND 
  blocked=1,"india without scanner IP blocked", src !="ip1" AND src !="ip2" AND 
  blocked=0 ,"india without scanner IP nonblocked" ,(src ="ip1" OR src ="ip2")
  AND blocked=1,"india with scanner IP blocked", (src ="ip1" OR src ="ip2") AND
  blocked=0 ," india with scanner Ip non blocked ", 1==1, "Error")
| stats count by eventtype,BlockedStatus 
| rename eventtype as "Local Market",count as "Total Critical Events"

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...