How to edit my search using the "map" command?

tmontney · ‎01-11-2017

I have two searches I want to be run in a real-time alert. I've never used map before, but this is what I have. It's not returning any results.

index="eventlog" AND case(EventCode=4624 AND (host=HOST1 OR host=HOST2 OR host=HOST3),
map search="search index='eventlog' AND (Logon_Type=2 OR Logon_Type=7 OR Logon_Type=10) AND Logon_GUID!={00000000-0000-0000-0000-000000000000}
| eval Title=user.' ... '.host 
| eval Body='Logon Type is '.Logon_Type.' '.Message",
EventCode=20274 AND (host=HOST4 OR host=HOST5),
map search="search index='eventlog'
| eval part1=split(body, 'user') 
| eval temp=mvindex(part1, 1) 
| eval part2=split(temp, 'connected') 
| eval temp2=mvindex(part2, 0) 
| eval usernameSplit=split(temp2, '\\')
| eval username=mvindex(usernameSplit,1)
| eval Title=username.' ... VPN RAS Logon ... '.host
| eval Body='The alert condition for *VPN Logon* was triggered.'")
| table Title Body

DalJeanis · ‎01-18-2017

It seems like at the very least you are missing a pipe character where the comma is after .message"

Look at what you posted, and notice the green is code inside of quotes (single or double).

You have EventCode=20274 just sort of sitting there, not associated with a search. and no pipe before the following map command.

somesoni2 · ‎01-11-2017

The map syntax is wrong. See map documentation for correct usage. https://docs.splunk.com/Documentation/Splunk/6.5.1/SearchReference/Map

Also, real-time alerts are not efficient and if you can mange with a delay of few minutes, I would suggest to setup a regular/historical search alert.

How to edit my search using the "map" command?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?