Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

EVAL issue

jsmith39
Path Finder
‎06-19-2015 06:30 AM

I've extracted a field called QR from a sourcetype, and it's working perfectly, but is returning numerical data, and I need specific words for a Enterprise Security dashboard to work. When I type the following eval command into the search bar it works perfectly, but when I place it in props.conf it doesn't execute correctly (new field is not created):

sourcetype = MSAD:NT6:DNS | eval message_type = if(QR==0, "RESPONSE", "QUERY")

I'm wondering if I'm running into an order of precedence issue, where my EVAL is kicking off before a QR field is even created.
I have the following in my transforms and props files.

transforms.conf

[MSAD:NT6:DNS]
[dns_qr_extraction]
REGEX = (QR)\s+(\d)
FORMAT = $1::$2

props.conf

[MSAD:NT6:DNS]
REPORT-dns_qr_extraction = dns_qr_extraction
EVAL message_type = if(QR==0, "RESPONSE", QR==1, "QUERY", "UNKNOWN")
Tags (3)
0 Karma
Reply

woodcock
Esteemed Legend
‎06-19-2015 07:38 AM

Is the QR field being crated for sure?

... | fields QR
0 Karma
Reply

woodcock
Esteemed Legend
‎06-19-2015 06:40 AM

You also have a mismatch in your props.conf stanza header: [dns_qr_lookup_action] should be [dns_qr_extraction].

0 Karma
Reply

jsmith39
Path Finder
‎06-19-2015 06:52 AM

Again, just being clumsy when putting my question on this website, in my server files, everything is typed correctly.

0 Karma
Reply

woodcock
Esteemed Legend
‎06-19-2015 06:32 AM

You are missing a hyphen, try this:

EVAL-message_type = if(QR==0, "RESPONSE", QR==1, "QUERY", "UNKNOWN)

This mistake should have caused Splunk to give you an error every time you restart Splunk (which you probably did) so be sure to pay attention to the output EVERY time you restart Splunk!

Reply

jsmith39
Path Finder
‎06-19-2015 06:36 AM

That was a format issue when I was typing into answers.splunk.com, thanks for replying though appreciate the thought.

0 Karma
Reply

woodcock
Esteemed Legend
‎06-19-2015 07:08 AM

You do see that I changed EVAL message_type to EVAL-message_type, right? I ask because you fixed your question (which I reformatted for clarity) for the other "wrong" answer but not for this one. Is perhaps this the actual problem?

0 Karma
Reply

jsmith39
Path Finder
‎06-19-2015 07:27 AM

Thank you, you're right, I did miss turning EVAL message_type into EVAL-message_type.
Unfortunately this still isn't having the desired effect of creating a message_type field.

0 Karma
Reply

woodcock
Esteemed Legend
‎06-19-2015 07:35 AM

You also do not need [MSAD:NT6:DNS] in transforms.conf so remove that.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...