Help with search using eval and table?

oh_sechang — Wed, 04 Jan 2023 16:17:02 GMT

index="hx_vm" LogName="Microsoft-Windows-Sysmon/Operational" "EventCode=11" ComputerName=DESKTOP-933JR8B | eval {name} = replace("C:\Windows\SysWOW64\OneDriveSetup.exe","\", "\\") | search Image = name | table _time, TargetFilename

The variable usage part is difficult.

Re: query question

yuanliu — Wed, 04 Jan 2023 04:43:03 GMT

Where is the question? Three detail you need in a post: how does the data look like, what is it that you expect as result, what is the logic between data and expected result; if you post sample code, explain the result you get and why it doesn't meet requirements.

Looking at your sample code, I guess you do not mean | search Image = "name", because that's exactly what the code means. Anything on the right of an equal sign in a search command is a string. Try

index="hx_vm" LogName="Microsoft-Windows-Sysmon/Operational" "EventCode=11" ComputerName=DESKTOP-933JR8B | eval name = replace("C:\Windows\SysWOW64\OneDriveSetup.exe","\", "\\") | where Image == name | table _time, TargetFilename

topic Help with search using eval and table? in Splunk Search

Help with search using eval and table?

Re: query question