Splunk Search

Error on using eval in a subsearch

dinh
Path Finder

What is wrong with the way I'm using eval here?

source="/some.audit.log" "End" "/foo/baz"
| rex field=_raw "(?P<ReqId>\bREQ\w{32}\b)"
| rex field=_raw "(?P<IpAddress>\b[\d]{1,3}\.[\d]{1,3}\.[\d]{1,3}\.[\d]{1,3}\b)"
| rex field=_raw "(?i) End \"(?P<Lid>[^\"]*)\""
| rex field=_raw "[^ ] (?P<HostName>\w+\.\w+\.\w+) [^ ]"
| fields ReqId, Lid, HostName, IpAddress
| join ReqId [search
source="/some.error.log" "Fail" "BLOCK"
| rex field=_raw "(?P<ReqId>\bREQ\w{32}\b)"
| rex field=_raw "Status (?P<Status>\b\w*\b)"
| eval raw1=_raw
| fields ReqId, Status, raw1
]

I got this error message

Error in 'eval' command: Failed to parse arguments. eval usage: eval dest_key = expression

Tags (3)
0 Karma
1 Solution

gkanapathy
Splunk Employee
Splunk Employee

Ah, yes. Quoting of double-quote characters and backslashes inside of rex strings is going to be confusing and problematic. I'd advise you if you're doing this to put the regexes into props.conf/transforms.conf and use the "extract" command to call them. If they're in the file, you can use plain PCRE syntax without worrying about how they might get transformed and passed inside the string.

View solution in original post

gkanapathy
Splunk Employee
Splunk Employee

Ah, yes. Quoting of double-quote characters and backslashes inside of rex strings is going to be confusing and problematic. I'd advise you if you're doing this to put the regexes into props.conf/transforms.conf and use the "extract" command to call them. If they're in the file, you can use plain PCRE syntax without worrying about how they might get transformed and passed inside the string.

gkanapathy
Splunk Employee
Splunk Employee

The "extract" command docs and the docs for the transforms.conf file should do it. You define it in transforms.conf, then call it on demand using the "extract" command (instead of "rex"). You could use props.conf to make it run automatically for the sourcetype as well.

BTW I would not use macros.conf for this particular case, since it adds a whole new layer of escaping and parsing.

0 Karma

dinh
Path Finder

Where can I find the documentation on how to implement it this way?

0 Karma

dinh
Path Finder

turns out this was the problem: [^\"]*

dinh
Path Finder

Just trying to pull a few of the rex out, it looks like something in this line is causing it but I'm not sure what.

| rex field=_raw "(?i) End \"(?P[^\"]*)\""

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...