Security

How to merge multiple eval's into a single using if (match)?

im_bharath
Path Finder

Hello everyone, 

i have this below SPL i am using, 

index=abcde*
| eval logtype = if(match(_raw,".*?LTStamp.*?ConnID.*?Exp"),"browser"," ")
| eval logtype = if(match(_raw,".*?MT.*?CTime.*?MBy"),"admin"," ")
| eval logtype = if(match(_raw,".*?LTStamp.*?Customer.*?SID.*?InReason"),"useractivity"," ")
| eval logtype = if(match(_raw,".*?LTStamp.*?Cust.*?SID.*?SessType"),"appconnector"," ")
| eval logtype = if(match(_raw,".*?LTStamp.*?Customer.*?Uname.*?SID"),"userstatus"," "),

When I am using this in a search the new field "logtype" is created but the field value is just empty with count and also it is only taking the first eval statement and omitting the rest.

If I use only 1 eval statement like for example 3rd eval statement "| eval logtype = if(match(_raw,".*?LTStamp.*?Customer.*?SID.*?InReason"),"useractivity"," ")" it is giving me a value "useractivity" against the newly created "logtype" field. 

Now,

my question is how I can join all these different eval statements into a single "eval" statement using the condition that i have used in the SPL above,

[eval logtype = if(match,(regex), "X"," ")] 

Note: the regexes (.*?LTStamp.*?ConnID.*?Exp) used in the match condition is hardcoded from the events we received into Splunk.  

or can we use any other condition such as CASE. LIKE etc., so, that I can get all these field values (browser, adminlogs, useractivity, appconnector and userstatus) under the "logtype" field like i mentioned below.

logtype 

Values               count                 % 

browser               xx                    xx%

adminlogs           xx                    xx%

useractivity        xx                    xx%

appconnector   xx                    xx%

userstatus           xx                   xx%

 

Hope the above question makes sense, any help on this will be much appreciated. 

Thanks...!!!

Labels (1)
0 Karma
1 Solution

im_bharath
Path Finder

Hey @ITWhisperer 

Thanks you for the solution you have proposed for my question, however i was able to get only two types also i have used the below query and i was able to see the 5 types under the "LOGTYPE"

 

index="your_index"  sourcetype="yoursourcetype"
| eval logtype = case(match(_raw, ".*?LTS.*?CID.*?Expo"),"browser",
match(_raw, ".*?LTS.*?Cust.*?SID.*?InReason"),"useractivity",
match(_raw, ".*?LTS.*?Cust.*?SID.*?STp"),"appconnector",
match(_raw, "[^\{]+\{\"LTS\"\:\s+\"[^\,]+\,\"Cust\"\:\s+\"[^\,]+\,\"Username\"\:\s+[^\,]+\,\"SID\"\:\s+\"[^\,]+"),"userstatus",
match(_raw, "[^\{]+\{\"MT\"\:\s+\"[^\,]+\,\"CT\"\:\"[^\,]+\,\"MB\"\:[^\,]+"),"adminlogs")

View solution in original post

0 Karma

im_bharath
Path Finder

Hey @ITWhisperer 

Thanks you for the solution you have proposed for my question, however i was able to get only two types also i have used the below query and i was able to see the 5 types under the "LOGTYPE"

 

index="your_index"  sourcetype="yoursourcetype"
| eval logtype = case(match(_raw, ".*?LTS.*?CID.*?Expo"),"browser",
match(_raw, ".*?LTS.*?Cust.*?SID.*?InReason"),"useractivity",
match(_raw, ".*?LTS.*?Cust.*?SID.*?STp"),"appconnector",
match(_raw, "[^\{]+\{\"LTS\"\:\s+\"[^\,]+\,\"Cust\"\:\s+\"[^\,]+\,\"Username\"\:\s+[^\,]+\,\"SID\"\:\s+\"[^\,]+"),"userstatus",
match(_raw, "[^\{]+\{\"MT\"\:\s+\"[^\,]+\,\"CT\"\:\"[^\,]+\,\"MB\"\:[^\,]+"),"adminlogs")

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

The case function works left to right, so you should put your most specific tests towards the beginning and your more general tests towards the end. Without access to your data, I cannot advise on what order to put the tests further than that, it is something you will need to determine by examining and testing with your data.

im_bharath
Path Finder

Hey @ITWhisperer , 

I understand there is only so much you can do without the access to data, but really appreciate your help since it was the starting point for me.. i mean with your suggestion i tried different things and finally was able to get the solution. Thank you..!!

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Use the case() function rather than the if() function

im_bharath
Path Finder

hi @ITWhisperer ,

 

I did use the case(), but i am getting an error "Error in 'eval' command: The expression is malformed. Expected )."

eval logtype = case(('browser',".*?LTS.*?CID.*?Expo"),('adminlogs',".*?MT.*?CT.*?MB"),('useractivity',"*?LTS.*?Cust.*?SID.*?InReason"),('appconnector',".*?LTS.*?Cust.*?SID.*?STp"),('userstatus',".*?LTS.*?Cust.*?Uname.*?SessionID"))

Don't have a clue as to what I missed here. 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try more like this

| eval logtype = case(match(_raw, ".*?LTS.*?CID.*?Expo"),"browser", match(_raw, ".*?MT.*?CT.*?MB"),"adminlogs", match(_raw, "*?LTS.*?Cust.*?SID.*?InReason"),"useractivity", match(_raw, ".*?LTS.*?Cust.*?SID.*?STp"),"appconnector", match(_raw, ".*?LTS.*?Cust.*?Uname.*?SessionID"), "userstatus") 

im_bharath
Path Finder

Hello @ITWhisperer , 

I tried using the SPL you have given me (OfCourse modified accordingly) and i could get the values for two types of the entries... so I plan to test this using the sample data including all types of the events... and will let you know if it works or not.  

0 Karma
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...