Solved: Re: merge multiple eval's into a single using if (...

im_bharath · ‎02-20-2023

Hello everyone,

i have this below SPL i am using,

index=abcde*
| eval logtype = if(match(_raw,".*?LTStamp.*?ConnID.*?Exp"),"browser"," ")
| eval logtype = if(match(_raw,".*?MT.*?CTime.*?MBy"),"admin"," ")
| eval logtype = if(match(_raw,".*?LTStamp.*?Customer.*?SID.*?InReason"),"useractivity"," ")
| eval logtype = if(match(_raw,".*?LTStamp.*?Cust.*?SID.*?SessType"),"appconnector"," ")
| eval logtype = if(match(_raw,".*?LTStamp.*?Customer.*?Uname.*?SID"),"userstatus"," "),

When I am using this in a search the new field "logtype" is created but the field value is just empty with count and also it is only taking the first eval statement and omitting the rest.

If I use only 1 eval statement like for example 3rd eval statement "| eval logtype = if(match(_raw,".*?LTStamp.*?Customer.*?SID.*?InReason"),"useractivity"," ")" it is giving me a value "useractivity" against the newly created "logtype" field.

Now,

my question is how I can join all these different eval statements into a single "eval" statement using the condition that i have used in the SPL above,

[eval logtype = if(match,(regex), "X"," ")]

Note: the regexes (.*?LTStamp.*?ConnID.*?Exp) used in the match condition is hardcoded from the events we received into Splunk.

or can we use any other condition such as CASE. LIKE etc., so, that I can get all these field values (browser, adminlogs, useractivity, appconnector and userstatus) under the "logtype" field like i mentioned below.

logtype

Values count %

browser xx xx%

adminlogs xx xx%

useractivity xx xx%

appconnector xx xx%

userstatus xx xx%

Hope the above question makes sense, any help on this will be much appreciated.

Thanks...!!!

im_bharath · ‎03-13-2023

Hey @ITWhisperer

Thanks you for the solution you have proposed for my question, however i was able to get only two types also i have used the below query and i was able to see the 5 types under the "LOGTYPE"

index="your_index" sourcetype="yoursourcetype"
| eval logtype = case(match(_raw, ".*?LTS.*?CID.*?Expo"),"browser",
match(_raw, ".*?LTS.*?Cust.*?SID.*?InReason"),"useractivity",
match(_raw, ".*?LTS.*?Cust.*?SID.*?STp"),"appconnector",
match(_raw, "[^\{]+\{\"LTS\"\:\s+\"[^\,]+\,\"Cust\"\:\s+\"[^\,]+\,\"Username\"\:\s+[^\,]+\,\"SID\"\:\s+\"[^\,]+"),"userstatus",
match(_raw, "[^\{]+\{\"MT\"\:\s+\"[^\,]+\,\"CT\"\:\"[^\,]+\,\"MB\"\:[^\,]+"),"adminlogs")

View solution in original post

im_bharath · ‎03-13-2023

Hey @ITWhisperer

Thanks you for the solution you have proposed for my question, however i was able to get only two types also i have used the below query and i was able to see the 5 types under the "LOGTYPE"

index="your_index" sourcetype="yoursourcetype"
| eval logtype = case(match(_raw, ".*?LTS.*?CID.*?Expo"),"browser",
match(_raw, ".*?LTS.*?Cust.*?SID.*?InReason"),"useractivity",
match(_raw, ".*?LTS.*?Cust.*?SID.*?STp"),"appconnector",
match(_raw, "[^\{]+\{\"LTS\"\:\s+\"[^\,]+\,\"Cust\"\:\s+\"[^\,]+\,\"Username\"\:\s+[^\,]+\,\"SID\"\:\s+\"[^\,]+"),"userstatus",
match(_raw, "[^\{]+\{\"MT\"\:\s+\"[^\,]+\,\"CT\"\:\"[^\,]+\,\"MB\"\:[^\,]+"),"adminlogs")

ITWhisperer · ‎03-13-2023

The case function works left to right, so you should put your most specific tests towards the beginning and your more general tests towards the end. Without access to your data, I cannot advise on what order to put the tests further than that, it is something you will need to determine by examining and testing with your data.

im_bharath · ‎03-14-2023

Hey @ITWhisperer ,

I understand there is only so much you can do without the access to data, but really appreciate your help since it was the starting point for me.. i mean with your suggestion i tried different things and finally was able to get the solution. Thank you..!!

ITWhisperer · ‎02-20-2023

Use the case() function rather than the if() function

im_bharath · ‎02-20-2023

hi @ITWhisperer ,

I did use the case(), but i am getting an error "Error in 'eval' command: The expression is malformed. Expected )."

eval logtype = case(('browser',".*?LTS.*?CID.*?Expo"),('adminlogs',".*?MT.*?CT.*?MB"),('useractivity',"*?LTS.*?Cust.*?SID.*?InReason"),('appconnector',".*?LTS.*?Cust.*?SID.*?STp"),('userstatus',".*?LTS.*?Cust.*?Uname.*?SessionID")),

Don't have a clue as to what I missed here.

ITWhisperer · ‎02-20-2023

Try more like this

| eval logtype = case(match(_raw, ".*?LTS.*?CID.*?Expo"),"browser", match(_raw, ".*?MT.*?CT.*?MB"),"adminlogs", match(_raw, "*?LTS.*?Cust.*?SID.*?InReason"),"useractivity", match(_raw, ".*?LTS.*?Cust.*?SID.*?STp"),"appconnector", match(_raw, ".*?LTS.*?Cust.*?Uname.*?SessionID"), "userstatus")

im_bharath · ‎02-27-2023

Hello @ITWhisperer ,

I tried using the SPL you have given me (OfCourse modified accordingly) and i could get the values for two types of the entries... so I plan to test this using the sample data including all types of the events... and will let you know if it works or not.

How to merge multiple eval's into a single using if (match)?

other

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?