topic Re: help on eval command in Splunk Search

help on eval command

jip31 — Thu, 14 Sep 2023 13:13:24 GMT

When I run the command below, it works fine

index=toto event_id=4688 | eval file_name=if(event_id==4688, replace(NewProcessName, "^*\\\\([^\\\\]+)$","\\1"),null)

Now I need to combine this search with a subearch

But i have the message "Error in "EvalCommand": The expression is malformed

What is wrong please?

Re: help on eval command

richgalloway — Thu, 14 Sep 2023 13:01:15 GMT

Remember that subsearches run first and their results become text that replace the subsearch in the query. So, if the subsearch returns "foo.exe" (the value of file_name) then the query becomes

index=toto event_id=4688 | eval file_name=if(event_id==4688, replace(NewProcessName, "^*\\\\([^\\\\]+)$","\\1"),null) foo.exe stats values(file_name) as file_name.....

See the problem? "foo.exe" and the following stats command are considered part of the eval command because there is no intervening |.

The fix depends on what you want the query to do.

Re: help on eval command

ITWhisperer — Thu, 14 Sep 2023 13:01:47 GMT

You can't use subsearches in this way.

What are you trying to achieve?

Re: help on eval command

jip31 — Thu, 14 Sep 2023 13:12:53 GMT

I forgotten a pipe before stats

I need to cross the event_file field of the index (called NewProcessName) with the event_file field of the lookup

Re: help on eval command

richgalloway — Thu, 14 Sep 2023 14:09:54 GMT

Depending on what you mean by "cross", the search command may do the job.

Re: help on eval command

jip31 — Thu, 14 Sep 2023 15:35:50 GMT

I need to join the file_name field between subsearch and main search

Your example is like what I done but i have an error message like i said in my example

I have also tested to put a rex field just before the stats command, I have no error but also no results even if a common event exists between the main search and the subsearch.....

| rex field=NewProcessName "(?<file_name>\w+\w+\.exe)" | stats values(file_name) as file_name....

Re: help on eval command

richgalloway — Thu, 14 Sep 2023 17:03:03 GMT

Let's take a step back. What is the desired output of this query? Is it to list the file names that are in both the index and the lookup? Something else?

My latest example is *like* what you've already done, but is different and should have a different result. Have you run it? If so, what is the exact text of the error(s)?

Please eliminate the ellipsis in the stats command. The behavior of the command can change depending on the hidden arguments.