Getting Data In

Are there limitations on using the searchmatch() eval function in props.conf?

responsys_cm
Builder

I have the following eval statement:

| eval aaa=case(
    action=="opened","success",
    action=="closed","success",
    action=="succeeded","success",
    action=="failed","failure",
    action=="Accepted","success",
    action=="Invalid","failure",
    searchmatch("error trying to bind as user"),"failure",
    action=="new user","created",
    action=="new group","created",
    action=="add" AND app=="usermod","modified",
    action=="removed" AND app="gpasswd","modified",
    app=="usermodd" AND action=="change","modified",
    app=="usermod" AND action=="lock","modified",
    searchmatch("setting system clock"),"success",
    action=="clock_sync","success",
    app=="chage" and action=="changed","modified",
    app=="aide" AND action="created","added",
    app=="aide" AND action=="changed","modified",
    app=="aide" AND action=="removed","deleted",
    app=="ip route" AND action=="add","added",
    searchmatch("changed password expiry"),"modified",
    searchmatch("ip route add"),"added",
    searchmatch("ip route del"),"deleted",
    searchmatch("ip route replace"),"modified",
    useradd_action=="new user" OR useradd_action=="new group","added",
    action=="Up" OR action=="up","modified",
    action=="Down" OR action=="down","modified")

If I use that statement in the search pipeline, it works. If I define it in an EVAL- statement in props.conf, it breaks completely. If I remove the searchmatch() statements, it works.

Is searchmatch() not supported in props.conf? If not, is there a workaround? I tried things like: _raw=="*my text*" and that didn't work either.

I understand searchmatch() is an alias for the match() statement. I tried using match() as well and that doesn't work either.

Any ideas?

0 Karma

woodcock
Esteemed Legend

Try this:

| eval aaa=case(
    action=="opened","success",
    action=="closed","success",
    action=="succeeded","success",
    action=="failed","failure",
    action=="Accepted","success",
    action=="Invalid","failure",
    match(_raw, "(?i)error trying to bind as user"),"failure",
    action=="new user","created",
    action=="new group","created",
    action=="add" AND app=="usermod","modified",
    action=="removed" AND app="gpasswd","modified",
    app=="usermodd" AND action=="change","modified",
    app=="usermod" AND action=="lock","modified",
    match(_raw, "(?i)setting system clock"),"success",
    action=="clock_sync","success",
    app=="chage" and action=="changed","modified",
    app=="aide" AND action="created","added",
    app=="aide" AND action=="changed","modified",
    app=="aide" AND action=="removed","deleted",
    app=="ip route" AND action=="add","added",
    match(_raw, "(?i)changed password expiry"),"modified",
    match(_raw, "(?i)ip route add"),"added",
    match(_raw, "(?i)ip route del"),"deleted",
    match(_raw, "(?i)ip route replace"),"modified",
    useradd_action=="new user" OR useradd_action=="new group","added",
    action=="Up" OR action=="up","modified",
    action=="Down" OR action=="down","modified")
0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...