Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Dropdown input token needs to match rex field in search

genesiusj
Builder
‎07-17-2019 06:16 AM

Hello,
I have searched Answers and will continue to search after I post this. I'm not sure I am entering the correct search terms.

I have a input dropdown (dynamic) on a dashboard. Note: This works with no issues

     <input type="dropdown" token="sudoUserName">
        <label>Select a User ID.</label>
        <prefix>sudoID="</prefix>
        <suffix>"</suffix>
        <default>*</default>
        <choice value="*">All</choice>
        <fieldForLabel>sudoID</fieldForLabel>
        <fieldForValue>sudoID</fieldForValue>
        <search>
          <query>
            index=linuxevents process="sudo" AND "COMMAND="
            | rex field=_raw ".*sudo:\s(?&lt;SLMsudo&gt;.*$)"
            | rex field=SLMsudo "(?&lt;sudoID&gt;[A-Za-z0-9]+).*COMMAND=(?&lt;sudoCommand&gt;.*$)"
            | dedup sudoID
          </query>
          <earliest>$Selected_Time_Range.earliest$</earliest>
          <latest>$Selected_Time_Range.latest$</latest>
        </search>
     </input>

Problem.
I need to match the token sudoUserName to the field sudoID. However, the field sudoID is a field created during running of the below SPL using rex on _raw, which creates SLMsudo. From there another rex to create sudoID. I only want events where the sudoID matches the sudoUserName. (Apologies if I am repeating myself.)

Here is the code for that portion.

index=linuxevents process="sudo" AND "COMMAND=" AND $sudoUserName$
| rex field=_raw ".*sudo:\s(?&lt;SLMsudo&gt;.*$)"
| rex field=SLMsudo "(?&lt;sudoID&gt;[A-Za-z0-9]+).*COMMAND=(?&lt;sudoCommand&gt;.*$)"
| eval sudoID=$sudoUserName$
| table SLMsudo, sudoID, host, sudoCommand, _time

The eval command is kicking off this error.
Error in 'eval' command: Fields cannot be assigned a boolean result. Instead, try if([boolean expr], [expr], [expr]).

Please let me know if there is any other information you require.

Thanks and God bless,
Genesius

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

vnravikumar
Champion
‎07-17-2019 09:07 PM

Hi

Try the below query

index=linuxevents process="sudo" AND "COMMAND=" AND $sudoUserName$
 | rex field=_raw ".*sudo:\s(?<SLMsudo>.*$)"
 | rex field=SLMsudo "(?<sudoID>[A-Za-z0-9]+).*COMMAND=(?<sudoCommand>.*$)"
 | where $sudoUserName$
 | table SLMsudo, sudoID, host, sudoCommand, _time

View solution in original post

0 Karma
Reply
Solved! Jump to solution

genesiusj
Builder
‎07-18-2019 11:30 AM

@vnravikumar
I had tried
| where $sudoUserName$
before. Forgot to list in the previous response.

However, this time, I also removed
AND $sudoUserName$
from the first line, and now it works.

It works for all possible values of sudoUserName except for All.

Thanks and God bless,
Genesius

0 Karma
Reply
Solved! Jump to solution

genesiusj
Builder
‎07-18-2019 07:33 AM

@vnravikumar
Thanks for the answer. However, it still isn't working.
Here are the error messages from your command, and some others I tried.
From the dropdown in my original post (code) I selected root (sudoUserName). I've tried with other names in the dropdown list with the same errors.

| where sudoID=$sudoUserName$
Error in 'where' command: The operator at '="root" is invalid.

| where eval sudoID=$sudoUserName$
Error in 'where' command: The operator at 'sudoID=sudoID="root" is invalid.

| eval where sudoID=$sudoUserName$
Error in 'eval' command: Fields cannot be assigned a boolean result. Instead, try if([bool expr], [expr], [expr]).

Thanks and God bless,
Genesius

0 Karma
Reply
Solved! Jump to solution

vnravikumar
Champion
‎07-18-2019 08:15 AM

Hi

try exactly with| where $sudoUserName$

index=linuxevents process="sudo" AND "COMMAND="
  | rex field=_raw ".*sudo:\s(?<SLMsudo>.*$)"
  | rex field=SLMsudo "(?<sudoID>[A-Za-z0-9]+).*COMMAND=(?<sudoCommand>.*$)"
  | where $sudoUserName$
  | table SLMsudo, sudoID, host, sudoCommand, _time
0 Karma
Reply
Solved! Jump to solution

vnravikumar
Champion
‎07-18-2019 12:03 PM

hi

try with search instead of where in the query

| search $sudoUserName$
0 Karma
Reply
Solved! Jump to solution

genesiusj
Builder
‎07-22-2019 01:23 PM

@vnravikumar
SEARCH worked over WHERE
Thanks and God bless,
Genesius

0 Karma
Reply
Solved! Jump to solution
Solution

vnravikumar
Champion
‎07-17-2019 09:07 PM

Hi

Try the below query

index=linuxevents process="sudo" AND "COMMAND=" AND $sudoUserName$
 | rex field=_raw ".*sudo:\s(?<SLMsudo>.*$)"
 | rex field=SLMsudo "(?<sudoID>[A-Za-z0-9]+).*COMMAND=(?<sudoCommand>.*$)"
 | where $sudoUserName$
 | table SLMsudo, sudoID, host, sudoCommand, _time
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...