Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to edit my search to create a field using eval?

jph11
New Member
‎08-04-2016 02:13 PM

Currently working on an integration betweek Splunk and RSA Archer eGRC. We are working with the security operations model with the plan that when a Notable event triggers, the alerts and notable would then be forwarded to the SOC module within Archer.

We have established connection and have shown that we can pass events between the two systems, but not with the provided templates to get the correct info over to Archer.

Here is the very basic search we are using:

sourcetype=cisco:asa  eventtype="Justin Test" 
| stats count by _time 
| where count>=1 
| eval _raw="CEF:0|Splunk|Splunk|6.0.1|20|This incident is based on the aggregation criteria Source where Source is " + source + "|3|RCFApplicationName=secops aggregationcriteria=splunk-source-" + source + " sourcetype=" + sourcetype + " msg=Grouped by source - "+ source + " hosts=" + host + " rt=" + _time + " act=" + action + " eventsource=" + source + " eventtype=" + type + " externalId=" + session_id + " src=" + src + " sourcedomain=" + src_dns + " smac=" + src_mac + " dst=" + dest + " destinationdomain=" + dest_dns + " dmac=" + dest_mac +  " deviceip=" + dvc

This creates the _raw feld and includes the data there following. This is where our issue lies. With the full search provided, it does not create the eval field. If I remove everything after the first closing quotation marks it will create the _raw field. I think the first issue arrises with the " + source +"

Any thoughts? I believe this syntax was written for 6.0.1 and thus perhaps the eval command has changed since then? Just spitballing and wanted to get another set of eyes.

Tags (1)
0 Karma
Reply

sundareshr
Legend
‎08-04-2016 02:33 PM

You stats command is the issue. After the stats command you are only left with count and _time fields. So none of the other fields exist. Try this

sourcetype=cisco:asa  eventtype="Justin Test" 
 | eval _raw="CEF:0|Splunk|Splunk|6.0.1|20|This incident is based on the aggregation criteria Source where Source is " + source + "|3|RCFApplicationName=secops aggregationcriteria=splunk-source-" + source + " sourcetype=" + sourcetype + " msg=Grouped by source - "+ source + " hosts=" + host + " rt=" + _time + " act=" + action + " eventsource=" + source + " eventtype=" + type + " externalId=" + session_id + " src=" + src + " sourcedomain=" + src_dns + " smac=" + src_mac + " dst=" + dest + " destinationdomain=" + dest_dns + " dmac=" + dest_mac +  " deviceip=" + dvc
| stats count values(_raw) as _raw by _time 
| where count>=1 
| table _raw
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...