$execution$ $host$ $user$ |eval moresearch=if(execution=index=index1,"",($authentication$) OR ($configuration$) OR ($EventType$))| search AND moresearch
However, every time I issue this search it returns an error that the eval is malformed and expecting ).
In this case let's assume that index1 is signified by Powershell in the attached graphic
Any suggestions are greatly appreciated.
Thanks!
Dustin
Ver: 6.3.8
Building on the correct observation by @cmerriman that the execution=index=index1
is causing the issue, compare the two run-anywhere searches:
| stats count | eval mytok="index=index1" | eval moresearch=if(mytok=index=index1, 1, 0)
(generates the error in your post)
| stats count | eval mytok="index=index1" | eval moresearch=if(mytok="index=index1", 1, 0)
(works)
So I think you just need to change: execution=index=index1
to execution="index=index1"
When I do this and do not surround the token name, in my case execution, in $ it does't appear to actually do the if validation..... as it seems to just put the name of the token in execution rather than the value of the token (as I've written it into the search as execution=.....) when I wrote it in as $execution$=.... it would pass the proper value, but would throw an error that the eval statement was malformed.
I get the following back from the inspector, in my current form of the search:
search index=myindex host=* user=* | eval moresearch=if(execution="index=myindex2"," ", ((eventtype=windows_logon_success) OR (New_Process_Name=msiexec.exe OR New_Process_Name=TrustedInstaller.exe) OR (LogName=Security))) | search moresearch
Current Search String.
$execution$ $host$ $user$ |eval moresearch=if($execution$="index=myindex"," ", (($authentication$) OR ($configuration$) OR ($EventType$)))| search moresearch
Actually, I expect this will shift the error, and you'll next see Splunk complain about ($authentication$) OR ($configuration$) OR ($EventType$)
For that, I suspect you'll need to change to this:
($authentication$)." OR ".($configuration$)." OR ".($EventType$)
That way, Splunk won't interpret those "OR"s as a command embedded within the eval function and will, instead, treat them as strings.
the problem with the search is that you have execution=index=index1
SPL doesn't accept two comparisons like that. if you're trying to compare execution
to index
to index1
you'll have to do something like execution=index AND execution=index1
However, the issue is that the $execution$ token that gets set, the entire value of the token is index=index1
so $execution$=index=index1.
So do I perhaps need to put the =index1 in single quotes? so that it will read index=index1 as a string rather than a comparison?
Thanks!
Dustin
try $execution|s$="index=index1"
and see if that works. the |s
will but the entire execution token into quotes automatically. Otherwise we might need to think of a way to escape the =
Unfortunately no, that simply makes my dashboard wait for additional input, so it would appear that it believes the s$ is another input token, and is waiting for input, but I have no way to enter input for it.
i created a test dashboard and i got this to work. if you could post your source code with any sensitive information replaced, that would be helpful.
You can't have boolean operators as the false
section of an eval, so i enclosed them in quotes. are you trying to remove values? you might be better off with a where statement. otherwise, what is the end goal?
<form>
<label>testanswer</label>
<fieldset submitButton="true">
<input type="checkbox" token="authentication">
<label>Authentication</label>
<choice value="Login">Login</choice>
<choice value="Logoff">Logoff</choice>
</input>
<input type="radio" token="execution">
<label>Execution</label>
<choice value="index=index1">Powershell</choice>
<choice value="CLI">Command Line</choice>
</input>
<input type="radio" token="configuration">
<label>Configuration</label>
<choice value="iis">IIS Config</choice>
<choice value="installs">Installs</choice>
</input>
<input type="checkbox" token="eventtype">
<label>EventType</label>
<choice value="app">Application</choice>
<choice value="system">System</choice>
<choice value="security">Security</choice>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>|makeresults|eval moresearch=if($execution|s$="index=index1","","($authentication$) OR ($configuration$) OR ($eventtype$)")</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="drilldown">none</option>
</table>
</panel>
</row>
</form>
<form>
<label>My Event Timeline</label>
<fieldset submitButton="true">
<input type="time" token="time">
<label></label>
<default>
<earliest>-4h@m</earliest>
<latest>now</latest>
</default>
</input>
<input type="text" token="host" searchWhenChanged="false">
<default>*</default>
<initialValue>*</initialValue>
<prefix>host=</prefix>
</input>
<input type="text" token="user" searchWhenChanged="false">
<label>User</label>
<default>*</default>
<initialValue>*</initialValue>
<prefix>user=</prefix>
</input>
<input type="checkbox" token="authentication">
<label>Authentication</label>
<choice value="eventtype=windows_logon_success">Login</choice>
<choice value="eventtype=windows_logoff">Logoff</choice>
<delimiter> OR </delimiter>
</input>
<input type="radio" token="execution" searchWhenChanged="true">
<label>Execution</label>
<choice value="myindex1">Powershell</choice>
<choice value="myindex2">Command Line</choice>
<prefix>index=</prefix>
</input>
<input type="radio" token="configuration" searchWhenChanged="true">
<label>Configuration</label>
<choice value="sourcetype=log_config_audit">Log Config</choice>
<choice value="New_Process_Name=msiexec.exe OR New_Process_Name=TrustedInstaller.exe">Installs</choice>
</input>
<input type="checkbox" token="EventType">
<choice value="LogName=Application">Application</choice>
<choice value="LogName=System">System</choice>
<choice value="LogName=Security">Security</choice>
<delimiter> AND </delimiter>
<default>LogName=Security</default>
</input>
</fieldset>
<row>
<panel>
<table>
<title>Results</title>
<search>
<query>$execution$ $host$ $user$ |eval moresearch=if($execution$="index=myindex1"," ", (($authentication$)" OR ".($configuration$)" OR "($EventType$)))| search moresearch</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
</search>
<option name="wrap">true</option>
<option name="rowNumbers">false</option>
<option name="dataOverlayMode">none</option>
<option name="list.drilldown">full</option>
<option name="list.wrap">1</option>
<option name="maxLines">5</option>
<option name="raw.drilldown">full</option>
<option name="table.drilldown">all</option>
<option name="table.wrap">1</option>
<option name="type">list</option>
<option name="drilldown">cell</option>
<option name="count">10</option>
</table>
</panel>
</row>
</form>
Thanks! so try this:
<form>
<label>My Event Timeline</label>
<fieldset submitButton="true">
<input type="time" token="time" searchWhenChanged="false">
<label></label>
<default>
<earliest>-4h@m</earliest>
<latest>now</latest>
</default>
</input>
<input type="text" token="host" searchWhenChanged="false">
<default>*</default>
<initialValue>*</initialValue>
<prefix>host=</prefix>
</input>
<input type="text" token="user" searchWhenChanged="false">
<label>User</label>
<default>*</default>
<initialValue>*</initialValue>
<prefix>user=</prefix>
</input>
<input type="checkbox" token="authentication" searchWhenChanged="false">
<label>Authentication</label>
<choice value="eventtype=windows_logon_success">Login</choice>
<choice value="eventtype=windows_logoff">Logoff</choice>
<delimiter> OR </delimiter>
</input>
<input type="radio" token="execution" searchWhenChanged="false">
<label>Execution</label>
<choice value="myindex1">Powershell</choice>
<choice value="myindex2">Command Line</choice>
<prefix>index=</prefix>
</input>
<input type="radio" token="configuration" searchWhenChanged="false">
<label>Configuration</label>
<choice value="sourcetype=log_config_audit">Log Config</choice>
<choice value="New_Process_Name=msiexec.exe OR New_Process_Name=TrustedInstaller.exe">Installs</choice>
</input>
<input type="checkbox" token="EventType" searchWhenChanged="false">
<choice value="LogName=Application">Application</choice>
<choice value="LogName=System">System</choice>
<choice value="LogName=Security">Security</choice>
<delimiter> AND </delimiter>
<default>LogName=Security</default>
</input>
</fieldset>
<row>
<panel>
<table>
<title>Results</title>
<search>
<query>$execution$ $host$ $user$ |eval moresearch=if($execution|s$="index=myindex1","", "($authentication$ OR $configuration$ OR $EventType$)")| search moresearch</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
</search>
<option name="wrap">true</option>
<option name="rowNumbers">false</option>
<option name="dataOverlayMode">none</option>
<option name="list.drilldown">full</option>
<option name="list.wrap">1</option>
<option name="maxLines">5</option>
<option name="raw.drilldown">full</option>
<option name="table.drilldown">all</option>
<option name="table.wrap">1</option>
<option name="type">list</option>
<option name="drilldown">cell</option>
<option name="count">10</option>
</table>
</panel>
</row>
</form>