Hi everyone,
I am trying to search for a file path (e.g. C:\Finance\Salary) but the result return none. It works if I type directly C:\\Finance\\Salary but it does not work if I passed it to a variable. Although the variable shows correct value.
index=wineventlog EventCode=4660 OR EventCode=4663 Account_Name!="ANONYMOUS LOGON" host="PTL*" Account_Name!="*$"
| eval FilePath=urldecode("C%3A%5CFinance%5CSalary")
| eval FilePath=replace(ObjectName,"\\\\","\\\\\\")
| search Object_Name=FilePath
| dedup _time host Account_Name Account_Domain Object_Name Accesses EventCodeDescription
| table _time host Account_Name Account_Domain Object_Name FilePath Accesses EventCodeDescription
| sort _time desc
The below search will show result if I replace:
|eval Object_Name="C:\\Finance\\Salary"
Just noticed.
In your original query
| eval FilePath=urldecode("C%3A%5CFinance%5CSalary") | eval FilePath=replace(ObjectName,"\\\\","\\\\\\") | search Object_Name=FilePath
You're setting FilePath in 1st line
Then setting it again in the next line?
Should second line be ?
| eval Object_Name = replace(ObjectName etc etc
try where instead of search, it's easier to determine if Splunk is looking for an Object_Name with the value FilePath, or if it's looking an Object_Name field with the same value as the FilePath field you created.
i.e.
where Object_Name==FilePath
Otherwise you could use regex
where match(Object_Name,"^C\:\\Finance\\Salary")
Thanks for your response but both of your suggestions do not work. Actually, I would like to decode the FilePath with sent from the main dashboard to the drilldown dashboard. The urldecode shows correct path and I put | eval FileName=replace(ObjectName,"\\\\","\\\\\\") to change it to "C:\\Finance\\Salary" but don't know why there is no matched to that. However, if I put direct |search Object_Name="C:\\Finance\\Salary" then it shows matched results.
Just noticed.
In your original query
| eval FilePath=urldecode("C%3A%5CFinance%5CSalary") | eval FilePath=replace(ObjectName,"\\\\","\\\\\\") | search Object_Name=FilePath
You're setting FilePath in 1st line
Then setting it again in the next line?
Should second line be ?
| eval Object_Name = replace(ObjectName etc etc
search can't compare field values. you should use where at the case.