0

我正在寻找以下结果。

  • 印度没有扫描仪 IP 被阻止

  • 印度没有扫描仪 IP 非阻塞

  • 印度的扫描仪 IP 被封锁

  • 印度,扫描仪 Ip 未阻塞 where ip1,ip2=>Scannner IP

我已经尝试了以下一个..但它只显示“没有扫描仪 IP 被阻止的印度”计数

| eval BlockedStatus = case ( src !="ip1" OR src !="ip2.*" OR blocked=1,"india without scanner IP blocked", src !="ip1" OR src !="ip2*" OR  blocked=0 ,"india without scanner IP nonblocked" ,src ="ip1" OR src ="ip2" OR blocked=1,"india with scanner IP blocked", src ="ip1" OR src ="ip2" OR blocked=0 ," india with scanner Ip non blocked ")
| stats count by eventtype,BlockedStatus 
| rename eventtype as "Local Market",count as "Total Critical Events"
4

1 回答 1

1

case语句中的逻辑是错误的。几乎一切都会匹配src!=ip1 OR src!=ip2 OR blocked=1。我认为一些ORs 应该是ANDs 并且需要一些括号。

也许这更接近预期?

eval BlockedStatus = case ( src !="ip1" AND src !="ip2" AND 
  blocked=1,"india without scanner IP blocked", src !="ip1" AND src !="ip2" AND 
  blocked=0 ,"india without scanner IP nonblocked" ,(src ="ip1" OR src ="ip2")
  AND blocked=1,"india with scanner IP blocked", (src ="ip1" OR src ="ip2") AND
  blocked=0 ," india with scanner Ip non blocked ", 1==1, "Error")
| stats count by eventtype,BlockedStatus 
| rename eventtype as "Local Market",count as "Total Critical Events"
于 2021-01-12T13:22:25.743 回答