Splunk Search
Highlighted

Error on using eval in a subsearch

Path Finder

What is wrong with the way I'm using eval here?

source="/some.audit.log" "End" "/foo/baz"
| rex field=_raw "(?P<ReqId>\bREQ\w{32}\b)"
| rex field=_raw "(?P<IpAddress>\b[\d]{1,3}\.[\d]{1,3}\.[\d]{1,3}\.[\d]{1,3}\b)"
| rex field=_raw "(?i) End \"(?P<Lid>[^\"]*)\""
| rex field=_raw "[^ ] (?P<HostName>\w+\.\w+\.\w+) [^ ]"
| fields ReqId, Lid, HostName, IpAddress
| join ReqId [search
source="/some.error.log" "Fail" "BLOCK"
| rex field=_raw "(?P<ReqId>\bREQ\w{32}\b)"
| rex field=_raw "Status (?P<Status>\b\w*\b)"
| eval raw1=_raw
| fields ReqId, Status, raw1
]

I got this error message

Error in 'eval' command: Failed to parse arguments. eval usage: eval dest_key = expression

Tags (3)
0 Karma
Highlighted

Re: Error on using eval in a subsearch

Path Finder

Just trying to pull a few of the rex out, it looks like something in this line is causing it but I'm not sure what.

| rex field=_raw "(?i) End \"(?P[^\"]*)\""

0 Karma
Highlighted

Re: Error on using eval in a subsearch

Path Finder

turns out this was the problem: [^\"]*

Highlighted

Re: Error on using eval in a subsearch

Legend

Ah, yes. Quoting of double-quote characters and backslashes inside of rex strings is going to be confusing and problematic. I'd advise you if you're doing this to put the regexes into props.conf/transforms.conf and use the "extract" command to call them. If they're in the file, you can use plain PCRE syntax without worrying about how they might get transformed and passed inside the string.

View solution in original post

Highlighted

Re: Error on using eval in a subsearch

Path Finder

Where can I find the documentation on how to implement it this way?

0 Karma
Highlighted

Re: Error on using eval in a subsearch

Legend

The "extract" command docs and the docs for the transforms.conf file should do it. You define it in transforms.conf, then call it on demand using the "extract" command (instead of "rex"). You could use props.conf to make it run automatically for the sourcetype as well.

BTW I would not use macros.conf for this particular case, since it adds a whole new layer of escaping and parsing.

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.