Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Re: Search run to nothing when I passed a variable...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi everyone,
I am trying to search for a file path (e.g. C:\Finance\Salary) but the result return none. It works if I type directly C:\\Finance\\Salary but it does not work if I passed it to a variable. Although the variable shows correct value.
index=wineventlog EventCode=4660 OR EventCode=4663 Account_Name!="ANONYMOUS LOGON" host="PTL*" Account_Name!="*$"
| eval FilePath=urldecode("C%3A%5CFinance%5CSalary")
| eval FilePath=replace(ObjectName,"\\\\","\\\\\\")
| search Object_Name=FilePath
| dedup _time host Account_Name Account_Domain Object_Name Accesses EventCodeDescription
| table _time host Account_Name Account_Domain Object_Name FilePath Accesses EventCodeDescription
| sort _time desc
The below search will show result if I replace:
|eval Object_Name="C:\\Finance\\Salary"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just noticed.
In your original query
| eval FilePath=urldecode("C%3A%5CFinance%5CSalary")
| eval FilePath=replace(ObjectName,"\\\\","\\\\\\")
| search Object_Name=FilePath
You're setting FilePath in 1st line
Then setting it again in the next line?
Should second line be ?
| eval Object_Name = replace(ObjectName etc etc
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try where instead of search, it's easier to determine if Splunk is looking for an Object_Name with the value FilePath, or if it's looking an Object_Name field with the same value as the FilePath field you created.
i.e.
where Object_Name==FilePath
Otherwise you could use regex
where match(Object_Name,"^C\:\\Finance\\Salary")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your response but both of your suggestions do not work. Actually, I would like to decode the FilePath with sent from the main dashboard to the drilldown dashboard. The urldecode shows correct path and I put | eval FileName=replace(ObjectName,"\\\\","\\\\\\") to change it to "C:\\Finance\\Salary" but don't know why there is no matched to that. However, if I put direct |search Object_Name="C:\\Finance\\Salary" then it shows matched results.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just noticed.
In your original query
| eval FilePath=urldecode("C%3A%5CFinance%5CSalary")
| eval FilePath=replace(ObjectName,"\\\\","\\\\\\")
| search Object_Name=FilePath
You're setting FilePath in 1st line
Then setting it again in the next line?
Should second line be ?
| eval Object_Name = replace(ObjectName etc etc
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
search can't compare field values. you should use where at the case.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
