topic Re: help correct eval command in Splunk Search

help correct eval command

olawalePS — Mon, 06 Nov 2023 15:29:57 GMT

Please help me correct the command below. It keeps returning all the devices as no even though the app is installed.

index="jamf" sourcetype="jssUapiComputer:computerGeneral" | dedup computer_meta.serial | rename computerGeneral.lastContactTime AS lastContactTime | eval timestamp = strptime(lastContactTime, "%Y-%m-%dT%H:%M:%S.%3QZ") | eval sixtyDaysAgo = relative_time(now(), "-60d") | where timestamp>sixtyDaysAgo | eval installed=if(computer_meta.serial IN [ search index="jamf" computer_meta.managed="true" sourcetype="jssUapiComputer:app" app.name="VMware CBCloud.app"| fields computer_meta.serial], "Yes", "No") | table computer_meta.name, installed

Re: help correct eval command

ITWhisperer — Mon, 06 Nov 2023 15:44:39 GMT

Try something like this

index="jamf" sourcetype="jssUapiComputer:computerGeneral" | dedup computer_meta.serial | rename computerGeneral.lastContactTime AS lastContactTime | eval timestamp = strptime(lastContactTime, "%Y-%m-%dT%H:%M:%S.%3QZ") | eval sixtyDaysAgo = relative_time(now(), "-60d") | where timestamp>sixtyDaysAgo | eval installed=if(computer_meta.serial IN ([ search index="jamf" computer_meta.managed="true" sourcetype="jssUapiComputer:app" app.name="VMware CBCloud.app"| stats count by computer_meta.serial | eval search="\"".'computer_meta.serial'."\"" | stats values(search) as search | eval search = mvjoin(search,",")]), "Yes", "No") | table computer_meta.name, installed

Re: help correct eval command

gcusello — Mon, 06 Nov 2023 15:46:21 GMT

Hi @olawalePS,

rename computer_meta.serial

index="jamf" sourcetype="jssUapiComputer:computerGeneral" | dedup computer_meta.serial | rename computerGeneral.lastContactTime AS lastContactTime computer_meta.serial AS computer_meta_serial | eval timestamp = strptime(lastContactTime, "%Y-%m-%dT%H:%M:%S.%3QZ") | eval sixtyDaysAgo = relative_time(now(), "-60d") | where timestamp>sixtyDaysAgo | eval installed=if(computer_meta_serial IN [ search index="jamf" computer_meta.managed="true" sourcetype="jssUapiComputer:app" app.name="VMware CBCloud.app"| rename computer_meta.serial AS computer_meta_serial | fields computer_meta_serial], "Yes", "No") | table computer_meta.name, installed

or use single quotes (').

I prefer to rename fields, even if is longer.

ciao.

Giuseppe

Re: help correct eval command

olawalePS — Mon, 06 Nov 2023 16:59:30 GMT

Renaming it did not change the results.

Re: help correct eval command

olawalePS — Mon, 06 Nov 2023 17:00:08 GMT

The results remained the same.

Re: help correct eval command

gcusello — Mon, 06 Nov 2023 17:06:29 GMT

Hi @olawalePS ,

are you sure about the time format?

could you share a sample of your logs?

Ciao.

Giuseppe

Re: help correct eval command

olawalePS — Mon, 06 Nov 2023 17:17:16 GMT

So I have attached to images

Computers that have checked-in in less than 60 days (274)

The subset of that that has CBC installed (270)

What I want now is a query to identify the 4 devices that do not have the app installed

Re: help correct eval command

gcusello — Tue, 07 Nov 2023 07:00:42 GMT

Hi @olawalePS ,

the issue is probably related to the time format: you have different formats in yout data: 1,2 or 3 digits in milliseconds, probably your eval command correctly extracts data only when it matchjes the correct format.

You sould try to normalize your data, sometimes like this:

| eval timestamp1=strptime(lastContactTime,"%Y-%m-%dT%H:%M:%S.%NZ"), timestamp2=strptime(lastContactTime,"%Y-%m-%dT%H:%M:%S.%2NZ"), timestamp2=strptime(lastContactTime,"%Y-%m-%dT%H:%M:%S.%3NZ") | eval timestamp=coalesce(timestamp1,timestamp2,timestamp3)

Ciao.

Giuseppe