topic Re: meaning of match("-24h@h","^\d") in Splunk Search

meaning of match("-24h@h","^\d")

astatrial — Wed, 06 Feb 2019 11:29:57 GMT

Hello
I have a query that create a field with a value i can't fully understand :
eval earliestQual=match("-24h@h","^\d") .

I understand that the result is the last day, but i don't understand the meaning of the expression "-24h@h" . It is not a field, so what is it, and where does it gets its value .

Thanks !!

Re: meaning of match("-24h@h","^\d")

vishaltaneja070 — Wed, 06 Feb 2019 11:52:34 GMT

Hello @astatrial

The above command is matching two values and the result will always be False. As there are one string and one regex need to compared. so it is just matching the value based on regex. And the regex need only first character as a digit, which is not the case with "-24h@h".

Re: meaning of match("-24h@h","^\d")

vishaltaneja070 — Wed, 06 Feb 2019 11:53:37 GMT

In normal cases like where you mention earliest=-24h@h, in that case it the time range will go back to last 24 hours and snap the hour field.

Re: meaning of match("-24h@h","^\d")

renjith_nair — Wed, 06 Feb 2019 11:58:25 GMT

@astatrial ,

It doesn't seem to be a complete eval expression because:

Match returns a boolean and can not be assigned to a field.
-24h@h should be relative to a "time" - either current time (now()) or any other time field in epoch format.

Nevertheless, the meaning of this extract is

subsract 24hrs from the "time" and snap to the nearest hour. ( i.e. if the time is 06-Feb-2019 07:20 then -24h@h will result 05-Feb-2019 07:00)
Check whether the resulted time starts with a digit (not sure about the logic behind this check without knowing the full context)

Re: meaning of match("-24h@h","^\d")

astatrial — Wed, 06 Feb 2019 12:44:23 GMT

you are right.
It is not the complete eval expression.
The complete eval expression is :

| eval earliestQual=case(match("-24h@h", "^\d"), tostring("-24h@h"), match("-24h@h", "^([@+-]){1}"), relative_time(time(), "-24h@h"), true(), time())

I just didn't want to confuse you with non relevant info.

The second clause in your answer is exactly my question - This expression isn't relative to any time, so how it is getting its value ?

Re: meaning of match("-24h@h","^\d")

renjith_nair — Wed, 06 Feb 2019 13:11:23 GMT

@astatrial ,
In a plain text search , it does not make much sense. However , I strongly believe that its part of a dashboard with a time input in it. In that case, -24h@h is not a string value in the search but a token in the form $some_token$ which carries value from the time input and this eval statement tries to find out what the user has opted from the time input

Re: meaning of match("-24h@h","^\d")

jeffland — Wed, 06 Feb 2019 13:25:26 GMT

This code indeed looks familiar for a dashboard I've worked on once. I used eval in the change event of a time input in a case where I always needed an epoch value from the input, regardless of the actual selection (a time picker will return something like -1w for earliest if you select last week). It looked something like

<change>
  <eval token="time_earliest_alwaysepoch">case(match($value$, "^\d+"), $value$, match($value$, "[+-]\d+@?"), relative_time(now(), $value$)</eval>
</change>

This was to make sure I always had an epoch value in that token, and it led me to this discussion. I doubt your code makes sense, as @renjith.nair already pointed out in his comment.

Re: meaning of match("-24h@h","^\d")

astatrial — Tue, 29 Sep 2020 23:10:41 GMT

This eval is part of the "Endpoint - Anomalous New Processes" correlation search. There is no use of token in it.

|from inputlookup:"localprocesses_tracker" | eval earliestQual=case(match("-24h@h", "^\d"), tostring("-24h@h"), match("-24h@h", "^([@+-]){1}"), relative_time(time(), "-24h@h"), true(), time()) | eval latestQual=case(match("+0s", "^\d"), tostring("+0s"), match("+0s", "^([@+-]){1}"), relative_time(time(), "+0s"), true(), time()) | where ('firstTime'>=earliestQual AND 'firstTime'<=latestQual) | fields - earliestQual, latestQual | stats dc(dest) as "dest_count",values(dest) as "dest" by "process" | where 'dest_count'>9

What i thought is that this eval calculate a time value of the last 24 hours in specific pattern depending on how the time is represented (i.e in the time picker). But i didn't understand how the expression -24h@h knows to get this value.
Is it some kind of known phrase in splunk?

I really appreciate your help ! |

Re: meaning of match("-24h@h","^\d")

astatrial — Tue, 29 Sep 2020 23:05:51 GMT

@renjith.nair
For some reason i couldn't comment to you in your answer.

This eval is part of the correlation search - "Endpoint - Anomalous New Processes" :



|from inputlookup:"localprocesses_tracker" | eval earliestQual=case(match("-24h@h", "^\d"), tostring("-24h@h"),  match("-24h@h", "^([@+-]){1}"), relative_time(time(), "-24h@h"),  true(), time()) | eval latestQual=case(match("+0s", "^\d"), tostring("+0s"),  match("+0s", "^([@+-]){1}"), relative_time(time(), "+0s"),  true(), time()) | where ('firstTime'>=earliestQual AND 'firstTime'<=latestQual) | fields - earliestQual, latestQual | stats dc(dest) as "dest_count",values(dest) as "dest" by "process" | where 'dest_count'>9

What i thought is that this eval calculates a time value of the last 24 hours depending on how the source time is represented.
I just didn't understand how the -24h@h knows which time source to refer.

I appreciate your help!!

Re: meaning of match("-24h@h","^\d")

renjith_nair — Wed, 06 Feb 2019 15:35:52 GMT

@astatrial ,
If its part of Enterprise Security, it might be part of the macros. localprocesses_tracker has mainly information about the process history (dest,firstime,lasttime,process) . So most probably whatever you are seeing is an expanded search with values substituted.

Re: meaning of match("-24h@h","^\d")

woodcock — Fri, 08 Feb 2019 17:33:22 GMT

The search is obviously part of a drilldown because nobody in his right mind would create | eval earliestQual=match("-24h@h","^\d") so it probably started out as something like | eval earliestQual=match($field_selector_value$,"^\d"), which totally could happen and makes sense. Now, back to your question, what is it doing?. It is checking to see if the string that is being tested (in this case -24@h) begins with a digit (which in this case, it does not). Now, why is it doing that?. Who knows.