How do i use eval to calculate two fields?

FYPTEST · ‎01-27-2021

What I am trying to accomplish with the command is to find the events with the EventCode "4624" and Logon_Type "10" or "2", and to name them as "RDP", however i get the following error:

Here is the query below:

index=wineventlogsecurity source=xmlWinEventLog:Security | stats count(eval(EventCode="4624") AND (Logon_Type="10")) AS RDP

Then I get this error:

Error in 'stats' command: The eval expression for dynamic field 'eval(EventCode="4624") AND (Logon_Type="10")' is invalid. Error='The operator at ') AND (Logon_Type="10"' is invalid.'.

Thanks in advance for any help! and apologies for the newbie questions as I am rather new to Splunk.

manjunathmeti · ‎01-27-2021

hi @FYPTEST ,
AND and OR operators should be in the eval function. Check this,

index=wineventlogsecurity source=xmlWinEventLog:Security 
| stats count(eval(EventCode="4624" AND (Logon_Type="10" OR Logon_Type="2"))) AS RDP

If this reply helps you, an upvote/like would be appreciated.

ITWhisperer · ‎01-27-2021

index=wineventlogsecurity source=xmlWinEventLog:Security EventCode="4624" (Logon_Type="10" OR Logon_Type="2") | stats count AS RDP

How do i use eval to calculate two fields?

count

eval

fields

search job inspector

stats

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?

How do i use eval to calculate two fields?

Can’t make it to .conf25? Join us online!