Splunk Search

Dropdown input token needs to match rex field in search

Builder

Hello,
I have searched Answers and will continue to search after I post this. I'm not sure I am entering the correct search terms.

I have a input dropdown (dynamic) on a dashboard. Note: This works with no issues

     <input type="dropdown" token="sudoUserName">
        <label>Select a User ID.</label>
        <prefix>sudoID="</prefix>
        <suffix>"</suffix>
        <default>*</default>
        <choice value="*">All</choice>
        <fieldForLabel>sudoID</fieldForLabel>
        <fieldForValue>sudoID</fieldForValue>
        <search>
          <query>
            index=linuxevents process="sudo" AND "COMMAND="
            | rex field=_raw ".*sudo:\s(?&lt;SLMsudo&gt;.*$)"
            | rex field=SLMsudo "(?&lt;sudoID&gt;[A-Za-z0-9]+).*COMMAND=(?&lt;sudoCommand&gt;.*$)"
            | dedup sudoID
          </query>
          <earliest>$Selected_Time_Range.earliest$</earliest>
          <latest>$Selected_Time_Range.latest$</latest>
        </search>
     </input>

Problem.
I need to match the token sudoUserName to the field sudoID. However, the field sudoID is a field created during running of the below SPL using rex on _raw, which creates SLMsudo. From there another rex to create sudoID. I only want events where the sudoID matches the sudoUserName. (Apologies if I am repeating myself.)

Here is the code for that portion.

index=linuxevents process="sudo" AND "COMMAND=" AND $sudoUserName$
| rex field=_raw ".*sudo:\s(?&lt;SLMsudo&gt;.*$)"
| rex field=SLMsudo "(?&lt;sudoID&gt;[A-Za-z0-9]+).*COMMAND=(?&lt;sudoCommand&gt;.*$)"
| eval sudoID=$sudoUserName$
| table SLMsudo, sudoID, host, sudoCommand, _time

The eval command is kicking off this error.
Error in 'eval' command: Fields cannot be assigned a boolean result. Instead, try if([boolean expr], [expr], [expr]).

Please let me know if there is any other information you require.

Thanks and God bless,
Genesius

0 Karma
1 Solution

Champion

Hi

Try the below query

index=linuxevents process="sudo" AND "COMMAND=" AND $sudoUserName$
 | rex field=_raw ".*sudo:\s(?<SLMsudo>.*$)"
 | rex field=SLMsudo "(?<sudoID>[A-Za-z0-9]+).*COMMAND=(?<sudoCommand>.*$)"
 | where $sudoUserName$
 | table SLMsudo, sudoID, host, sudoCommand, _time

View solution in original post

0 Karma

Builder

@vnravikumar
I had tried
| where $sudoUserName$
before. Forgot to list in the previous response.

However, this time, I also removed
AND $sudoUserName$
from the first line, and now it works.

It works for all possible values of sudoUserName except for All.

Thanks and God bless,
Genesius

0 Karma

Builder

@vnravikumar
Thanks for the answer. However, it still isn't working.
Here are the error messages from your command, and some others I tried.
From the dropdown in my original post (code) I selected root (sudoUserName). I've tried with other names in the dropdown list with the same errors.

| where sudoID=$sudoUserName$
Error in 'where' command: The operator at '="root" is invalid.

| where eval sudoID=$sudoUserName$
Error in 'where' command: The operator at 'sudoID=sudoID="root" is invalid.

| eval where sudoID=$sudoUserName$
Error in 'eval' command: Fields cannot be assigned a boolean result. Instead, try if([bool expr], [expr], [expr]).

Thanks and God bless,
Genesius

0 Karma

Champion

Hi

try exactly with| where $sudoUserName$

index=linuxevents process="sudo" AND "COMMAND="
  | rex field=_raw ".*sudo:\s(?<SLMsudo>.*$)"
  | rex field=SLMsudo "(?<sudoID>[A-Za-z0-9]+).*COMMAND=(?<sudoCommand>.*$)"
  | where $sudoUserName$
  | table SLMsudo, sudoID, host, sudoCommand, _time
0 Karma

Champion

hi

try with search instead of where in the query

| search $sudoUserName$
0 Karma

Builder

@vnravikumar
SEARCH worked over WHERE
Thanks and God bless,
Genesius

0 Karma

Champion

Hi

Try the below query

index=linuxevents process="sudo" AND "COMMAND=" AND $sudoUserName$
 | rex field=_raw ".*sudo:\s(?<SLMsudo>.*$)"
 | rex field=SLMsudo "(?<sudoID>[A-Za-z0-9]+).*COMMAND=(?<sudoCommand>.*$)"
 | where $sudoUserName$
 | table SLMsudo, sudoID, host, sudoCommand, _time

View solution in original post

0 Karma