I am trying to set a new variable for each event, by using the eval command. Maybe I should a different command?
I want to set a variable, isImportant, by IP address. I am trying to see if it falls into two or more ranges (10.1.1.* or 10.1.2.*). If the IP is in one of those ranges, I would like to have the variable isImportant set to true, otherwise set to false.
I saw the following page:
http://docs.splunk.com/Documentation/SplunkCloud/6.6.0/SearchReference/Eval
And it has an example for using one cidr range to set isLocal. I imagine I can use the example of:
| eval isImportant=if(cidrmatch("10.1.1.0/24", clientip), "true", "false")
for one range. When I try to use two ranges, it does not work.
| eval isImportant=if((cidrmatch("10.1.1.0/24", clientip)) OR (cidrmatch("10.1.2.0/24", clientip)))
The second example does not work.
Is there a way to combine conditions into the eval?
↧