topic Re: EVAL issue in Splunk Search

EVAL issue

jsmith39 — Fri, 19 Jun 2015 13:30:03 GMT

I've extracted a field called QR from a sourcetype, and it's working perfectly, but is returning numerical data, and I need specific words for a Enterprise Security dashboard to work. When I type the following eval command into the search bar it works perfectly, but when I place it in props.conf it doesn't execute correctly (new field is not created):

sourcetype = MSAD:NT6:DNS | eval message_type = if(QR==0, "RESPONSE", "QUERY")

I'm wondering if I'm running into an order of precedence issue, where my EVAL is kicking off before a QR field is even created.
I have the following in my transforms and props files.

transforms.conf

[MSAD:NT6:DNS]
[dns_qr_extraction]
REGEX = (QR)\s+(\d)
FORMAT = $1::$2

props.conf

[MSAD:NT6:DNS]
REPORT-dns_qr_extraction = dns_qr_extraction
EVAL message_type = if(QR==0, "RESPONSE", QR==1, "QUERY", "UNKNOWN")

Re: EVAL issue

woodcock — Fri, 19 Jun 2015 13:32:59 GMT

You are missing a hyphen, try this:

EVAL-message_type = if(QR==0, "RESPONSE", QR==1, "QUERY", "UNKNOWN)

This mistake should have caused Splunk to give you an error every time you restart Splunk (which you probably did) so be sure to pay attention to the output EVERY time you restart Splunk!

Re: EVAL issue

jsmith39 — Fri, 19 Jun 2015 13:36:57 GMT

That was a format issue when I was typing into answers.splunk.com, thanks for replying though appreciate the thought.

Re: EVAL issue

woodcock — Fri, 19 Jun 2015 13:40:44 GMT

You also have a mismatch in your props.conf stanza header: [dns_qr_lookup_action] should be [dns_qr_extraction].

Re: EVAL issue

jsmith39 — Fri, 19 Jun 2015 13:52:20 GMT

Again, just being clumsy when putting my question on this website, in my server files, everything is typed correctly.

Re: EVAL issue

woodcock — Fri, 19 Jun 2015 14:08:12 GMT

You do see that I changed EVAL message_type to EVAL-message_type, right? I ask because you fixed your question (which I reformatted for clarity) for the other "wrong" answer but not for this one. Is perhaps this the actual problem?

Re: EVAL issue

jsmith39 — Mon, 28 Sep 2020 20:19:33 GMT

Thank you, you're right, I did miss turning EVAL message_type into EVAL-message_type.
Unfortunately this still isn't having the desired effect of creating a message_type field.

Re: EVAL issue

woodcock — Fri, 19 Jun 2015 14:35:37 GMT

You also do not need [MSAD:NT6:DNS] in transforms.conf so remove that.

Re: EVAL issue

woodcock — Fri, 19 Jun 2015 14:38:36 GMT

Is the QR field being crated for sure?

... | fields QR