问题描述
我正在寻找以下结果。
-
印度没有阻止扫描仪 IP
-
印度没有扫描仪 IP 未阻止
-
印度的扫描仪 IP 被封锁
-
india 使用扫描仪 Ip 未被封锁 其中 ip1,ip2=>扫描器 IP
我尝试了下面的一个..但它只显示“没有扫描仪 IP 被阻止的印度”计数
| eval BlockedStatus = case ( src !="ip1" OR src !="ip2.*" OR blocked=1,"india without scanner IP blocked",src !="ip1" OR src !="ip2*" OR blocked=0,"india without scanner IP nonblocked",src ="ip1" OR src ="ip2" OR blocked=1,"india with scanner IP blocked",src ="ip1" OR src ="ip2" OR blocked=0," india with scanner Ip non blocked ")
| stats count by eventtype,BlockedStatus
| rename eventtype as "Local Market",count as "Total Critical Events"
解决方法
case 语句中的逻辑有问题。几乎所有的东西都会匹配 src!=ip1 OR src!=ip2 OR blocked=1。我认为某些 OR 应该是 AND 并且需要一些括号。
也许这更接近预期?
eval BlockedStatus = case ( src !="ip1" AND src !="ip2" AND
blocked=1,"india without scanner IP blocked",src !="ip1" AND src !="ip2" AND
blocked=0,"india without scanner IP nonblocked",(src ="ip1" OR src ="ip2")
AND blocked=1,"india with scanner IP blocked",(src ="ip1" OR src ="ip2") AND
blocked=0," india with scanner Ip non blocked ",1==1,"Error")
| stats count by eventtype,BlockedStatus
| rename eventtype as "Local Market",count as "Total Critical Events"