Splunk Search

Help with if statement and complex | search

deastman
SplunkTrust
SplunkTrust

$execution$ $host$ $user$ |eval moresearch=if(execution=index=index1,"",($authentication$) OR ($configuration$) OR ($EventType$))| search AND moresearch

However, every time I issue this search it returns an error that the eval is malformed and expecting ).

In this case let's assume that index1 is signified by Powershell in the attached graphic

Any suggestions are greatly appreciated.

Thanks!
Dustin

Ver: 6.3.8

Tags (2)
0 Karma

elliotproebstel
Champion

Building on the correct observation by @cmerriman that the execution=index=index1 is causing the issue, compare the two run-anywhere searches:
| stats count | eval mytok="index=index1" | eval moresearch=if(mytok=index=index1, 1, 0)
(generates the error in your post)

| stats count | eval mytok="index=index1" | eval moresearch=if(mytok="index=index1", 1, 0)
(works)

So I think you just need to change: execution=index=index1 to execution="index=index1"

0 Karma

deastman
SplunkTrust
SplunkTrust

When I do this and do not surround the token name, in my case execution, in $ it does't appear to actually do the if validation..... as it seems to just put the name of the token in execution rather than the value of the token (as I've written it into the search as execution=.....) when I wrote it in as $execution$=.... it would pass the proper value, but would throw an error that the eval statement was malformed.

I get the following back from the inspector, in my current form of the search:
search index=myindex host=* user=* | eval moresearch=if(execution="index=myindex2"," ", ((eventtype=windows_logon_success) OR (New_Process_Name=msiexec.exe OR New_Process_Name=TrustedInstaller.exe) OR (LogName=Security))) | search moresearch

0 Karma

deastman
SplunkTrust
SplunkTrust

Current Search String.
$execution$ $host$ $user$ |eval moresearch=if($execution$="index=myindex"," ", (($authentication$) OR ($configuration$) OR ($EventType$)))| search moresearch

0 Karma

elliotproebstel
Champion

Actually, I expect this will shift the error, and you'll next see Splunk complain about ($authentication$) OR ($configuration$) OR ($EventType$)

For that, I suspect you'll need to change to this:
($authentication$)." OR ".($configuration$)." OR ".($EventType$)

That way, Splunk won't interpret those "OR"s as a command embedded within the eval function and will, instead, treat them as strings.

0 Karma

cmerriman
Super Champion

the problem with the search is that you have execution=index=index1 SPL doesn't accept two comparisons like that. if you're trying to compare execution to index to index1 you'll have to do something like execution=index AND execution=index1

0 Karma

deastman
SplunkTrust
SplunkTrust

However, the issue is that the $execution$ token that gets set, the entire value of the token is index=index1

so $execution$=index=index1.

So do I perhaps need to put the =index1 in single quotes? so that it will read index=index1 as a string rather than a comparison?

Thanks!
Dustin

0 Karma

cmerriman
Super Champion

try $execution|s$="index=index1" and see if that works. the |s will but the entire execution token into quotes automatically. Otherwise we might need to think of a way to escape the =

0 Karma

deastman
SplunkTrust
SplunkTrust

Unfortunately no, that simply makes my dashboard wait for additional input, so it would appear that it believes the s$ is another input token, and is waiting for input, but I have no way to enter input for it.

0 Karma

cmerriman
Super Champion

i created a test dashboard and i got this to work. if you could post your source code with any sensitive information replaced, that would be helpful.

You can't have boolean operators as the false section of an eval, so i enclosed them in quotes. are you trying to remove values? you might be better off with a where statement. otherwise, what is the end goal?

<form>
  <label>testanswer</label>
  <fieldset submitButton="true">
    <input type="checkbox" token="authentication">
      <label>Authentication</label>
      <choice value="Login">Login</choice>
      <choice value="Logoff">Logoff</choice>
    </input>
    <input type="radio" token="execution">
      <label>Execution</label>
      <choice value="index=index1">Powershell</choice>
      <choice value="CLI">Command Line</choice>
    </input>
    <input type="radio" token="configuration">
      <label>Configuration</label>
      <choice value="iis">IIS Config</choice>
      <choice value="installs">Installs</choice>
    </input>
    <input type="checkbox" token="eventtype">
      <label>EventType</label>
      <choice value="app">Application</choice>
      <choice value="system">System</choice>
      <choice value="security">Security</choice>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>|makeresults|eval moresearch=if($execution|s$="index=index1","","($authentication$) OR ($configuration$) OR ($eventtype$)")</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</form>

deastman
SplunkTrust
SplunkTrust
<form>
  <label>My Event Timeline</label>
  <fieldset submitButton="true">
    <input type="time" token="time">
      <label></label>
      <default>
        <earliest>-4h@m</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="text" token="host" searchWhenChanged="false">
      <default>*</default>
      <initialValue>*</initialValue>
      <prefix>host=</prefix>
    </input>
    <input type="text" token="user" searchWhenChanged="false">
      <label>User</label>
      <default>*</default>
      <initialValue>*</initialValue>
      <prefix>user=</prefix>
    </input>
    <input type="checkbox" token="authentication">
      <label>Authentication</label>
      <choice value="eventtype=windows_logon_success">Login</choice>
      <choice value="eventtype=windows_logoff">Logoff</choice>
      <delimiter> OR </delimiter>
    </input>
    <input type="radio" token="execution" searchWhenChanged="true">
      <label>Execution</label>
      <choice value="myindex1">Powershell</choice>
      <choice value="myindex2">Command Line</choice>
      <prefix>index=</prefix>
    </input>
    <input type="radio" token="configuration" searchWhenChanged="true">
      <label>Configuration</label>
      <choice value="sourcetype=log_config_audit">Log Config</choice>
      <choice value="New_Process_Name=msiexec.exe OR New_Process_Name=TrustedInstaller.exe">Installs</choice>
    </input>
    <input type="checkbox" token="EventType">
      <choice value="LogName=Application">Application</choice>
      <choice value="LogName=System">System</choice>
      <choice value="LogName=Security">Security</choice>
      <delimiter> AND </delimiter>
      <default>LogName=Security</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <title>Results</title>
        <search>
          <query>$execution$ $host$ $user$ |eval moresearch=if($execution$="index=myindex1"," ", (($authentication$)" OR ".($configuration$)" OR "($EventType$)))| search moresearch</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="dataOverlayMode">none</option>
        <option name="list.drilldown">full</option>
        <option name="list.wrap">1</option>
        <option name="maxLines">5</option>
        <option name="raw.drilldown">full</option>
        <option name="table.drilldown">all</option>
        <option name="table.wrap">1</option>
        <option name="type">list</option>
        <option name="drilldown">cell</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
</form>
0 Karma

cmerriman
Super Champion

Thanks! so try this:

<form>
   <label>My Event Timeline</label>
   <fieldset submitButton="true">
     <input type="time" token="time" searchWhenChanged="false">
       <label></label>
       <default>
         <earliest>-4h@m</earliest>
         <latest>now</latest>
       </default>
     </input>
     <input type="text" token="host" searchWhenChanged="false">
       <default>*</default>
       <initialValue>*</initialValue>
       <prefix>host=</prefix>
     </input>
     <input type="text" token="user" searchWhenChanged="false">
       <label>User</label>
       <default>*</default>
       <initialValue>*</initialValue>
       <prefix>user=</prefix>
     </input>
     <input type="checkbox" token="authentication" searchWhenChanged="false">
       <label>Authentication</label>
       <choice value="eventtype=windows_logon_success">Login</choice>
       <choice value="eventtype=windows_logoff">Logoff</choice>
       <delimiter> OR </delimiter>
     </input>
     <input type="radio" token="execution" searchWhenChanged="false">
       <label>Execution</label>
       <choice value="myindex1">Powershell</choice>
       <choice value="myindex2">Command Line</choice>
       <prefix>index=</prefix>
     </input>
     <input type="radio" token="configuration" searchWhenChanged="false">
       <label>Configuration</label>
       <choice value="sourcetype=log_config_audit">Log Config</choice>
       <choice value="New_Process_Name=msiexec.exe OR New_Process_Name=TrustedInstaller.exe">Installs</choice>
     </input>
     <input type="checkbox" token="EventType" searchWhenChanged="false">
       <choice value="LogName=Application">Application</choice>
       <choice value="LogName=System">System</choice>
       <choice value="LogName=Security">Security</choice>
       <delimiter> AND </delimiter>
       <default>LogName=Security</default>
     </input>
   </fieldset>
   <row>
     <panel>
       <table>
         <title>Results</title>
         <search>
           <query>$execution$ $host$ $user$ |eval moresearch=if($execution|s$="index=myindex1","", "($authentication$ OR $configuration$ OR $EventType$)")| search moresearch</query>
           <earliest>$time.earliest$</earliest>
           <latest>$time.latest$</latest>
         </search>
         <option name="wrap">true</option>
         <option name="rowNumbers">false</option>
         <option name="dataOverlayMode">none</option>
         <option name="list.drilldown">full</option>
         <option name="list.wrap">1</option>
         <option name="maxLines">5</option>
         <option name="raw.drilldown">full</option>
         <option name="table.drilldown">all</option>
         <option name="table.wrap">1</option>
         <option name="type">list</option>
         <option name="drilldown">cell</option>
         <option name="count">10</option>
       </table>
     </panel>
   </row>
 </form>
0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...