Splunk Search

How to use eval function in search in CLI

Explorer

Hi all,

I'm currently trying to run a search within the CLI (which works perfectly on Splunk Web).

The search is the following:

sourcetype=wineventlog:security (EventCode=4776 OR EventCode=4648 OR EventCode=4624 OR EventCode=4672 OR EventCode=4647 OR EventCode=4634) | eval Account_Domain=mvjoin(Account_Domain, "; ") | eval Account_Name=mvjoin(Account_Name, "; ") | eval Security_ID=mvjoin(Security_ID, "; ") | eval Logon_ID=mvjoin(Logon_ID, "; ") | table _number, _time, EventCode, ComputerName, Account_Domain, Account_Name, Security_ID, Logon_ID, Logon_Type | sort _time desc

Note: I am using the eval function to join multiple values that appear in one field in order to remove "line feeds" (because my goal is to export to csv).

In Windows PowerShell I run the following command:

splunk.exe "sourcetype=wineventlog:security (EventCode=4776 OR EventCode=4648 OR EventCode=4624 OR EventCode=4672 OR EventCode=4647 OR EventCode=4634) | eval Account_Domain=mvjoin(Account_Domain, `"; `") | eval Account_Name=mvjoin(Account_Name, `"; `") | eval Security_ID=mvjoin(Security_ID, `"; `") | eval Logon_ID=mvjoin(Logon_ID, `"; `") | table _number, _time, EventCode, ComputerName, Account_Domain, Account_Name, Security_ID, Logon_ID, Logon_Type | sort _time desc

Please note that the command would work perfectly if the eval functions are left out, but I need them to achieve my goal having no more "line feeds". So it's more or less a problem of right escaping!?
I tried to use the escaping explained on this site but no luck yet. any ideas?

cheers
-ciir

PS: I know that there is such a thing as a Splunk PowerShell Resource Kit (but do I really have to use it?)

0 Karma
1 Solution

Explorer

I found the answer by myself.
There are actually two approaches/methods you can solve this issue:

1. approach is escape the doubleqoute the right way which is \"" instead of ". This leads to the following search:

   splunk.exe "sourcetype=wineventlog:security (EventCode=4776 OR EventCode=4648 OR EventCode=4624 OR EventCode=4672 OR EventCode=4647 OR EventCode=4634) | eval Account_Domain=mvjoin(Account_Domain, \""; \"") | eval Account_Name=mvjoin(Account_Name, \""; \"") | eval Security_ID=mvjoin(Security_ID, \""; \"") | eval Logon_ID=mvjoin(Logon_ID, \""; \"") | table _number, _time, EventCode, ComputerName, Account_Domain, Account_Name, Security_ID, Logon_ID, Logon_Type | sort _time desc

2 approach (i guess the better way) is to use the so called calculated fields:

See this page (reference)

so your $SPLUNK_HOME/etc/system/local/props.conf has to look like this:

<wineventlog:security>
ACC-DOMAIN = eval(Account_Domain = mvjoin(Account_Domain, "; ")

You add a calculated field for each of the desired fields that have the linefeed in it.

View solution in original post

0 Karma

Explorer

I found the answer by myself.
There are actually two approaches/methods you can solve this issue:

1. approach is escape the doubleqoute the right way which is \"" instead of ". This leads to the following search:

   splunk.exe "sourcetype=wineventlog:security (EventCode=4776 OR EventCode=4648 OR EventCode=4624 OR EventCode=4672 OR EventCode=4647 OR EventCode=4634) | eval Account_Domain=mvjoin(Account_Domain, \""; \"") | eval Account_Name=mvjoin(Account_Name, \""; \"") | eval Security_ID=mvjoin(Security_ID, \""; \"") | eval Logon_ID=mvjoin(Logon_ID, \""; \"") | table _number, _time, EventCode, ComputerName, Account_Domain, Account_Name, Security_ID, Logon_ID, Logon_Type | sort _time desc

2 approach (i guess the better way) is to use the so called calculated fields:

See this page (reference)

so your $SPLUNK_HOME/etc/system/local/props.conf has to look like this:

<wineventlog:security>
ACC-DOMAIN = eval(Account_Domain = mvjoin(Account_Domain, "; ")

You add a calculated field for each of the desired fields that have the linefeed in it.

View solution in original post

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!