Hi, I'm trying to run a search for recent transactions based on a user ID. I need to convert the user ID to hex before I can use it as the event field contain the ID in hex. The idea here is to use a dashboard with a form input field for the decimal user ID.
This is what I was thinking:
| eval userid_hex=tonumber("",16) | search index=xx sourcetype=xx userID=userid_hex | transaction maxevents=2 transactionID
which gives me no events returned. I've rearranged the location of the eval and get the same results.
Obviously this works:
index=xx sourcetype=xx | eval userid_hex=tonumber("",16) | search userID=userid_hex | transaction maxevents=2 transactionID
but it pull all events in the timewindow before filtering on userID. For 24 hours, I have approximately 3 million events so this is very inefficient.
Is there a way to do evals before the initial search? Or am I missing some alternative method?
You'll need an eval-based macro for that. And tonumber() is not the right function, you'll need tostring().
Macro Name: toHex(1)
Macro Definition: tostring("\"".tostring($idDecimal$, "hex")."\"")
Usage: index=xx sourcetype=xx `toHex(22)`
In your form obviously you'd need to substitue 22 above with the userId token.
You could do this with a simple subsearch (remember, subsearches get executed first):
index=xx sourcetype=xx [|gentimes start=-1 | eval userID=tostring(yournumbergoeshere,"hex") | fields userID]
You'll need an eval-based macro for that. And tonumber() is not the right function, you'll need tostring().
Macro Name: toHex(1)
Macro Definition: tostring("\"".tostring($idDecimal$, "hex")."\"")
Usage: index=xx sourcetype=xx `toHex(22)`
In your form obviously you'd need to substitue 22 above with the userId token.
This works! My final version was replace(tostring("".tostring($subid$, "hex").""),"x","")
where I replace the 0x with just 0 as I need 8 digits with a 0-pad in front.