This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Unexpected value in output - Splunk vs Dynatrace

sharmas2
Participant

‎02 Jun 2025 05:31 PM - last edited on ‎03 Jun 2025 01:06 PM by Community Team

Hi,

"I have the following Splunk query, and I'm trying to generate the corresponding output in Dynatrace."

splunk query :-

index=ngss*_sourcefire_secevents | rex field=index "(?<Local_Market>\w.*?)_"
| eval BlockedStatus =
case(Like(src_ip,"64.39.106.%") AND InlineResultID=4 ," Qualys Blocked",
Like(src_ip,"154.59.121.%") AND InlineResultID=4," Qualys Blocked",
Like(src_ip,"64.39.106.%") AND InlineResultID=0," Qualys Not Blocked",
Like(src_ip,"154.59.121.%") AND InlineResultID=0," Qualys Not Blocked",
NOT Like(src_ip,"64.39.106.%") AND InlineResultID=4,"Non Qualys Blocked",
NOT Like(src_ip,"154.59.121.%") AND InlineResultID=4,"Non Qualys Blocked",
NOT Like(src_ip,"64.39.106.%") AND InlineResultID=0,"Non Qualys Not Blocked",
NOT Like(src_ip,"154.59.121.%") AND InlineResultID=0,"Non Qualys Not Blocked")
| stats count by Local_Market BlockedStatus | rename eventtype as "Local Market",count as "Total Critical Events"

corresponding DQL is as below , where i am getting Null value ..
Please not that in DQL Src_ip is consider as "InitiatorIP".


 DQL query is as below :-

fetch logs // scanLimitGBytes: , samplingRatio: 1000

| filter contains(dt.security_context,"ngss")
| parse content,"""LD 'InlineResultID":' string:InlineResultID "," """
//| parse content, """LD 'InitiatorIP'[^,]{1,100}?:"InitiatorIP','""""
| fieldsAdd market = substring(dt.security_context, to: indexOf(dt.security_context, "_"))
| parse content, """ LD 'InitiatorIP\":\"' IPADDR:InitiatorIP """
| parse content, """ LD 'InitiatorIP=' IPADDR:InitiatorIP """
| fieldsadd QualysBlocked=if((like(SrcIP"154.59.121%") or like(SrcIP"64.39.106.%") AND contains(InlineResultID,"0") or contains(InlineResultID,"4")),QualysBlocked)
| fieldsadd QualysNotBlocked=if((like(SrcIP"64.39.106%") OR like(SrcIP"154.59.121.%") AND contains(InlineResultID,"0") or contains(InlineResultID,"4")),QualysNotBlocked)
| fieldsadd NonQualysBlocked=if((like(SrcIP"64.39.106%") or like(SrcIP"154.59.121%") AND contains(InlineResultID,"0") or contains(InlineResultID,"4")),NonQualysBlocked)
| fieldsadd NonQualysNotBlocked=if((like(SrcIP"64.39.106%") or like(SrcIP"154.59.121.%") AND contains(InlineResultID,"0") or contains(InlineResultID,"4")),NonQualysNotBlocked)
| fieldsADD BlockedStatus = coalesce(QualysBlocked,QualysnotBlocked,NonQualysBlocked,NonQualysNotBlocked)
//| fieldsADD Blockedstatus = coalesce(QualysBlocked,QualysnonBlocked)
| summarize count() ,by:{market,BlockedStatus}

 

Labels:
0 Kudos
Reply
0 REPLIES 0
Ask a question

Featured Posts