Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Are hidden characters breaking my joins?

ttovarzoll
Path Finder
‎03-22-2023 11:08 AM

I am trying to build an Alert for login failures in AWS CloudTrail. In general I have it working -- but my joins are missing some of the desired events.  Specifically, I am building an 'index' value consisting of the username+IP, e.g.

| eval user_IP = username + src_ip

but I now see that some seemingly-identical values are being evaluated as separate. For instance, when you click on the Selected Values view (left-side in the results) there will be 2 separate entries which -- at least on-screen -- appear to be identical.

WHAT THE POPUP SHOWS

user_IP
2 Values, 100% of events

Values                Count
firstuser172.31.1.1   2
firstuser172.31.1.1   1

I suspect there is a hidden character in the second Value. Or, maybe a trailing space (though there is none when I try adding each to the search).

----

How can I modify my 'eval' to generate values without hidden characters?

(I already tried adding a lower() function but without success)

Labels (1)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎03-22-2023 10:03 PM

One way to check is to bracket the string.

| eval user_IP = ">" . username . src_ip . "<"

View solution in original post

Reply
Solved! Jump to solution

PickleRick
Ultra Champion
‎03-22-2023 10:36 PM

If I remember correctly there were some issues with leading/trailing spaces when using the interesting fields @yuanliu 's idea is a way to verify it.

Reply
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎03-22-2023 10:03 PM

One way to check is to bracket the string.

| eval user_IP = ">" . username . src_ip . "<"
Reply
Solved! Jump to solution

ttovarzoll
Path Finder
‎03-23-2023 09:13 AM

Aha! yes, that's a good trick. At first I didn't understand how that would fix the problem but then I realized that it was the perfect troubleshooting step -- and it demonstrated that there was a trailing space.

So, I have now modified my eval statement and confirmed that I am now receiving the missing events

| eval user_IP = username . trim(src_ip)

 I also had to add matching trim() statements to several other references to 'username' throughout the SPL query.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Lantern | Spotlight on Security: Adoption Motions, War Stories, and More

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Greetings, Splunk Cloud Admins and Splunk enthusiasts! The Admin Configuration Service (ACS) team is excited ...

Tech Talk | One Log to Rule Them All

One log to rule them all: how you can centralize your troubleshooting with Splunk logs We know how important ...