I have the following eval statement:
| eval aaa=case(
action=="opened","success",
action=="closed","success",
action=="succeeded","success",
action=="failed","failure",
action=="Accepted","success",
action=="Invalid","failure",
searchmatch("error trying to bind as user"),"failure",
action=="new user","created",
action=="new group","created",
action=="add" AND app=="usermod","modified",
action=="removed" AND app="gpasswd","modified",
app=="usermodd" AND action=="change","modified",
app=="usermod" AND action=="lock","modified",
searchmatch("setting system clock"),"success",
action=="clock_sync","success",
app=="chage" and action=="changed","modified",
app=="aide" AND action="created","added",
app=="aide" AND action=="changed","modified",
app=="aide" AND action=="removed","deleted",
app=="ip route" AND action=="add","added",
searchmatch("changed password expiry"),"modified",
searchmatch("ip route add"),"added",
searchmatch("ip route del"),"deleted",
searchmatch("ip route replace"),"modified",
useradd_action=="new user" OR useradd_action=="new group","added",
action=="Up" OR action=="up","modified",
action=="Down" OR action=="down","modified")
If I use that statement in the search pipeline, it works. If I define it in an EVAL-
statement in props.conf
, it breaks completely. If I remove the searchmatch()
statements, it works.
Is searchmatch()
not supported in props.conf
? If not, is there a workaround? I tried things like: _raw=="*my text*"
and that didn't work either.
I understand searchmatch()
is an alias for the match()
statement. I tried using match()
as well and that doesn't work either.
Any ideas?
Try this:
| eval aaa=case(
action=="opened","success",
action=="closed","success",
action=="succeeded","success",
action=="failed","failure",
action=="Accepted","success",
action=="Invalid","failure",
match(_raw, "(?i)error trying to bind as user"),"failure",
action=="new user","created",
action=="new group","created",
action=="add" AND app=="usermod","modified",
action=="removed" AND app="gpasswd","modified",
app=="usermodd" AND action=="change","modified",
app=="usermod" AND action=="lock","modified",
match(_raw, "(?i)setting system clock"),"success",
action=="clock_sync","success",
app=="chage" and action=="changed","modified",
app=="aide" AND action="created","added",
app=="aide" AND action=="changed","modified",
app=="aide" AND action=="removed","deleted",
app=="ip route" AND action=="add","added",
match(_raw, "(?i)changed password expiry"),"modified",
match(_raw, "(?i)ip route add"),"added",
match(_raw, "(?i)ip route del"),"deleted",
match(_raw, "(?i)ip route replace"),"modified",
useradd_action=="new user" OR useradd_action=="new group","added",
action=="Up" OR action=="up","modified",
action=="Down" OR action=="down","modified")