Splunk Search

Help with search using eval and table?

oh_sechang
New Member

 

 

index="hx_vm" LogName="Microsoft-Windows-Sysmon/Operational" "EventCode=11" ComputerName=DESKTOP-933JR8B
| eval {name} = replace("C:\Windows\SysWOW64\OneDriveSetup.exe","\", "\\")
| search Image = name
| table _time, TargetFilename

 

 

The variable usage part is difficult.

Labels (3)
0 Karma

yuanliu
SplunkTrust
SplunkTrust

Where is the question?  Three detail you need in a post: how does the data look like, what is it that you expect as result, what is the logic between data and expected result; if you post sample code, explain the result you get and why it doesn't meet requirements.

Looking at your sample code, I guess you do not mean | search Image = "name", because that's exactly what the code means.  Anything on the right of an equal sign  in a search command is a string.  Try

index="hx_vm" LogName="Microsoft-Windows-Sysmon/Operational" "EventCode=11" ComputerName=DESKTOP-933JR8B
| eval name = replace("C:\Windows\SysWOW64\OneDriveSetup.exe","\", "\\")
| where Image == name
| table _time, TargetFilename

 

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...