Error in Eval Command

KNichol5hd · ‎03-15-2013

sourcetype=campusmgr earliest=-72h latest=+72h [search sourcetype=msdhcp earliest=03/10/2013:12:40:00 latest=03/10/2013:15:40:00 | eval dest_ip=if (match(sourcetype,"pan:traffic"),src_ip,"") [search sourcetype=pan:traffic src_translated_port=##### src_translated_ip=###.###.##.## earliest=03/10/2013:12:40:00 latest=03/10/2013:15:40:00 | return 10 src_ip] | return 10 dest_ip] | chart count by user | sort - count

Error in 'eval' command: The operator at '(src_ip="###.###.##.##") OR (src_ip="###.###.##.##") OR (src_ip="###.###.##.##") OR (src_ip="###.###.##.##")' is invalid.

Can anyone tell me what I'm doing wrong here?

*The sourcetype=src_ip in pan:traffic appears as dest_ip in sourcetype=msdhcp.
*The dest_mac in sourcetype=msdhcp appears as src_mac in sourcetype=campusmgr.

Ayn · ‎03-15-2013

Well you're tacking on a subsearch directly onto an eval statement. That's why you're getting an error.

KNichol5hd · ‎03-15-2013

I am trying to combine 3 separate searches into one.

The first search begins within sourcetype=pan:traffic. I use the src_translated_port and src_translated_ip to return the src_ip that I am looking for.

I then want to match that src_ip to the dest_ip within sourcetype=msdhcp, which is currently my second search. I use this search to return the dest_mac that I am looking for.

The third search is within sourcetype=campusmgr. I want to match the dest_mac returned from sourcetype=msdhcp to the src_mac with sourcetype=campusmgr.

Ayn · ‎03-15-2013

Depends. What's the purpose of the subsearch?

KNichol5hd · ‎03-15-2013

This the first I've ever worked with subsearches. Do you know what the correct format should be?

Error in Eval Command

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms