Re: Error in Eval Command

KNichol5hd · ‎03-15-2013

sourcetype=campusmgr earliest=-72h latest=+72h [search sourcetype=msdhcp earliest=03/10/2013:12:40:00 latest=03/10/2013:15:40:00 | eval dest_ip=if (match(sourcetype,"pan:traffic"),src_ip,"") [search sourcetype=pan:traffic src_translated_port=##### src_translated_ip=###.###.##.## earliest=03/10/2013:12:40:00 latest=03/10/2013:15:40:00 | return 10 src_ip] | return 10 dest_ip] | chart count by user | sort - count

Error in 'eval' command: The operator at '(src_ip="###.###.##.##") OR (src_ip="###.###.##.##") OR (src_ip="###.###.##.##") OR (src_ip="###.###.##.##")' is invalid.

Can anyone tell me what I'm doing wrong here?

*The sourcetype=src_ip in pan:traffic appears as dest_ip in sourcetype=msdhcp.
*The dest_mac in sourcetype=msdhcp appears as src_mac in sourcetype=campusmgr.

Ayn · ‎03-15-2013

Well you're tacking on a subsearch directly onto an eval statement. That's why you're getting an error.

KNichol5hd · ‎03-15-2013

I am trying to combine 3 separate searches into one.

The first search begins within sourcetype=pan:traffic. I use the src_translated_port and src_translated_ip to return the src_ip that I am looking for.

I then want to match that src_ip to the dest_ip within sourcetype=msdhcp, which is currently my second search. I use this search to return the dest_mac that I am looking for.

The third search is within sourcetype=campusmgr. I want to match the dest_mac returned from sourcetype=msdhcp to the src_mac with sourcetype=campusmgr.

Ayn · ‎03-15-2013

Depends. What's the purpose of the subsearch?

KNichol5hd · ‎03-15-2013

This the first I've ever worked with subsearches. Do you know what the correct format should be?

Error in Eval Command

Enterprise Security Content Update (ESCU) | New Releases

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...