Splunk Search

How to use eval function in search in CLI

Explorer

Hi all,

I'm currently trying to run a search within the CLI (which works perfectly on Splunk Web).

The search is the following:

sourcetype=wineventlog:security (EventCode=4776 OR EventCode=4648 OR EventCode=4624 OR EventCode=4672 OR EventCode=4647 OR EventCode=4634) | eval Account_Domain=mvjoin(Account_Domain, "; ") | eval Account_Name=mvjoin(Account_Name, "; ") | eval Security_ID=mvjoin(Security_ID, "; ") | eval Logon_ID=mvjoin(Logon_ID, "; ") | table _number, _time, EventCode, ComputerName, Account_Domain, Account_Name, Security_ID, Logon_ID, Logon_Type | sort _time desc

Note: I am using the eval function to join multiple values that appear in one field in order to remove "line feeds" (because my goal is to export to csv).

In Windows PowerShell I run the following command:

splunk.exe "sourcetype=wineventlog:security (EventCode=4776 OR EventCode=4648 OR EventCode=4624 OR EventCode=4672 OR EventCode=4647 OR EventCode=4634) | eval Account_Domain=mvjoin(Account_Domain, `"; `") | eval Account_Name=mvjoin(Account_Name, `"; `") | eval Security_ID=mvjoin(Security_ID, `"; `") | eval Logon_ID=mvjoin(Logon_ID, `"; `") | table _number, _time, EventCode, ComputerName, Account_Domain, Account_Name, Security_ID, Logon_ID, Logon_Type | sort _time desc

Please note that the command would work perfectly if the eval functions are left out, but I need them to achieve my goal having no more "line feeds". So it's more or less a problem of right escaping!?
I tried to use the escaping explained on this site but no luck yet. any ideas?

cheers
-ciir

PS: I know that there is such a thing as a Splunk PowerShell Resource Kit (but do I really have to use it?)

0 Karma
1 Solution

Explorer

I found the answer by myself.
There are actually two approaches/methods you can solve this issue:

1. approach is escape the doubleqoute the right way which is \"" instead of ". This leads to the following search:

   splunk.exe "sourcetype=wineventlog:security (EventCode=4776 OR EventCode=4648 OR EventCode=4624 OR EventCode=4672 OR EventCode=4647 OR EventCode=4634) | eval Account_Domain=mvjoin(Account_Domain, \""; \"") | eval Account_Name=mvjoin(Account_Name, \""; \"") | eval Security_ID=mvjoin(Security_ID, \""; \"") | eval Logon_ID=mvjoin(Logon_ID, \""; \"") | table _number, _time, EventCode, ComputerName, Account_Domain, Account_Name, Security_ID, Logon_ID, Logon_Type | sort _time desc

2 approach (i guess the better way) is to use the so called calculated fields:

See this page (reference)

so your $SPLUNK_HOME/etc/system/local/props.conf has to look like this:

<wineventlog:security>
ACC-DOMAIN = eval(Account_Domain = mvjoin(Account_Domain, "; ")

You add a calculated field for each of the desired fields that have the linefeed in it.

View solution in original post

0 Karma

Explorer

I found the answer by myself.
There are actually two approaches/methods you can solve this issue:

1. approach is escape the doubleqoute the right way which is \"" instead of ". This leads to the following search:

   splunk.exe "sourcetype=wineventlog:security (EventCode=4776 OR EventCode=4648 OR EventCode=4624 OR EventCode=4672 OR EventCode=4647 OR EventCode=4634) | eval Account_Domain=mvjoin(Account_Domain, \""; \"") | eval Account_Name=mvjoin(Account_Name, \""; \"") | eval Security_ID=mvjoin(Security_ID, \""; \"") | eval Logon_ID=mvjoin(Logon_ID, \""; \"") | table _number, _time, EventCode, ComputerName, Account_Domain, Account_Name, Security_ID, Logon_ID, Logon_Type | sort _time desc

2 approach (i guess the better way) is to use the so called calculated fields:

See this page (reference)

so your $SPLUNK_HOME/etc/system/local/props.conf has to look like this:

<wineventlog:security>
ACC-DOMAIN = eval(Account_Domain = mvjoin(Account_Domain, "; ")

You add a calculated field for each of the desired fields that have the linefeed in it.

View solution in original post

0 Karma