topic How to edit my search to create a field using eval? in Splunk Search https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-create-a-field-using-eval/m-p/206347#M60051 <P>Currently working on an integration betweek Splunk and RSA Archer eGRC. We are working with the security operations model with the plan that when a Notable event triggers, the alerts and notable would then be forwarded to the SOC module within Archer. </P> <P>We have established connection and have shown that we can pass events between the two systems, but not with the provided templates to get the correct info over to Archer. </P> <P>Here is the very basic search we are using:</P> <PRE><CODE>sourcetype=cisco:asa eventtype="Justin Test" | stats count by _time | where count&gt;=1 | eval _raw="CEF:0|Splunk|Splunk|6.0.1|20|This incident is based on the aggregation criteria Source where Source is " + source + "|3|RCFApplicationName=secops aggregationcriteria=splunk-source-" + source + " sourcetype=" + sourcetype + " msg=Grouped by source - "+ source + " hosts=" + host + " rt=" + _time + " act=" + action + " eventsource=" + source + " eventtype=" + type + " externalId=" + session_id + " src=" + src + " sourcedomain=" + src_dns + " smac=" + src_mac + " dst=" + dest + " destinationdomain=" + dest_dns + " dmac=" + dest_mac + " deviceip=" + dvc </CODE></PRE> <P>This creates the <STRONG>_raw</STRONG> feld and includes the data there following. This is where our issue lies. With the full search provided, it does not create the eval field. If I remove everything after the first closing quotation marks it will create the _raw field. I think the first issue arrises with the " + source +" </P> <P>Any thoughts? I believe this syntax was written for 6.0.1 and thus perhaps the eval command has changed since then? Just spitballing and wanted to get another set of eyes. </P> Thu, 04 Aug 2016 21:13:25 GMT jph11 2016-08-04T21:13:25Z How to edit my search to create a field using eval? https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-create-a-field-using-eval/m-p/206347#M60051 <P>Currently working on an integration betweek Splunk and RSA Archer eGRC. We are working with the security operations model with the plan that when a Notable event triggers, the alerts and notable would then be forwarded to the SOC module within Archer. </P> <P>We have established connection and have shown that we can pass events between the two systems, but not with the provided templates to get the correct info over to Archer. </P> <P>Here is the very basic search we are using:</P> <PRE><CODE>sourcetype=cisco:asa eventtype="Justin Test" | stats count by _time | where count&gt;=1 | eval _raw="CEF:0|Splunk|Splunk|6.0.1|20|This incident is based on the aggregation criteria Source where Source is " + source + "|3|RCFApplicationName=secops aggregationcriteria=splunk-source-" + source + " sourcetype=" + sourcetype + " msg=Grouped by source - "+ source + " hosts=" + host + " rt=" + _time + " act=" + action + " eventsource=" + source + " eventtype=" + type + " externalId=" + session_id + " src=" + src + " sourcedomain=" + src_dns + " smac=" + src_mac + " dst=" + dest + " destinationdomain=" + dest_dns + " dmac=" + dest_mac + " deviceip=" + dvc </CODE></PRE> <P>This creates the <STRONG>_raw</STRONG> feld and includes the data there following. This is where our issue lies. With the full search provided, it does not create the eval field. If I remove everything after the first closing quotation marks it will create the _raw field. I think the first issue arrises with the " + source +" </P> <P>Any thoughts? I believe this syntax was written for 6.0.1 and thus perhaps the eval command has changed since then? Just spitballing and wanted to get another set of eyes. </P> Thu, 04 Aug 2016 21:13:25 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-create-a-field-using-eval/m-p/206347#M60051 jph11 2016-08-04T21:13:25Z Re: How to edit my search to create a field using eval? https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-create-a-field-using-eval/m-p/206348#M60052 <P>You <CODE>stats</CODE> command is the issue. After the stats command you are only left with <CODE>count</CODE> and <CODE>_time</CODE> fields. So none of the other fields exist. Try this</P> <PRE><CODE>sourcetype=cisco:asa eventtype="Justin Test" | eval _raw="CEF:0|Splunk|Splunk|6.0.1|20|This incident is based on the aggregation criteria Source where Source is " + source + "|3|RCFApplicationName=secops aggregationcriteria=splunk-source-" + source + " sourcetype=" + sourcetype + " msg=Grouped by source - "+ source + " hosts=" + host + " rt=" + _time + " act=" + action + " eventsource=" + source + " eventtype=" + type + " externalId=" + session_id + " src=" + src + " sourcedomain=" + src_dns + " smac=" + src_mac + " dst=" + dest + " destinationdomain=" + dest_dns + " dmac=" + dest_mac + " deviceip=" + dvc | stats count values(_raw) as _raw by _time | where count&gt;=1 | table _raw </CODE></PRE> Thu, 04 Aug 2016 21:33:13 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-create-a-field-using-eval/m-p/206348#M60052 sundareshr 2016-08-04T21:33:13Z