How do i use eval to calculate two fields?

FYPTEST · ‎01-27-2021

What I am trying to accomplish with the command is to find the events with the EventCode "4624" and Logon_Type "10" or "2", and to name them as "RDP", however i get the following error:

Here is the query below:

index=wineventlogsecurity source=xmlWinEventLog:Security | stats count(eval(EventCode="4624") AND (Logon_Type="10")) AS RDP

Then I get this error:

Error in 'stats' command: The eval expression for dynamic field 'eval(EventCode="4624") AND (Logon_Type="10")' is invalid. Error='The operator at ') AND (Logon_Type="10"' is invalid.'.

Thanks in advance for any help! and apologies for the newbie questions as I am rather new to Splunk.

manjunathmeti · ‎01-27-2021

hi @FYPTEST ,
AND and OR operators should be in the eval function. Check this,

index=wineventlogsecurity source=xmlWinEventLog:Security 
| stats count(eval(EventCode="4624" AND (Logon_Type="10" OR Logon_Type="2"))) AS RDP

If this reply helps you, an upvote/like would be appreciated.

ITWhisperer · ‎01-27-2021

index=wineventlogsecurity source=xmlWinEventLog:Security EventCode="4624" (Logon_Type="10" OR Logon_Type="2") | stats count AS RDP

How do i use eval to calculate two fields?

count

eval

fields

search job inspector

stats

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

Splunk Observability for AI

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

Are you a member of the Splunk Community?

How do i use eval to calculate two fields?