Splunk Search

Is there a way to use eval before the initial event search (sourcetype=xx)?

RMartinezDTV
Path Finder

Hi, I'm trying to run a search for recent transactions based on a user ID. I need to convert the user ID to hex before I can use it as the event field contain the ID in hex. The idea here is to use a dashboard with a form input field for the decimal user ID.

This is what I was thinking:

| eval userid_hex=tonumber("",16) | search index=xx sourcetype=xx userID=userid_hex | transaction maxevents=2 transactionID

which gives me no events returned. I've rearranged the location of the eval and get the same results.

Obviously this works:

index=xx sourcetype=xx | eval userid_hex=tonumber("",16) | search userID=userid_hex | transaction maxevents=2 transactionID

but it pull all events in the timewindow before filtering on userID. For 24 hours, I have approximately 3 million events so this is very inefficient.

Is there a way to do evals before the initial search? Or am I missing some alternative method?

Tags (3)
1 Solution

_d_
Splunk Employee
Splunk Employee

You'll need an eval-based macro for that. And tonumber() is not the right function, you'll need tostring().

  1. Create a Macro that has the eval-based definition checked (in Advanced Search | Macros)
  2. Call it in your search before the first pipe

Macro Name: toHex(1)
Macro Definition: tostring("\"".tostring($idDecimal$, "hex")."\"")

Usage: index=xx sourcetype=xx `toHex(22)`

In your form obviously you'd need to substitue 22 above with the userId token.

View solution in original post

aweitzman
Motivator

You could do this with a simple subsearch (remember, subsearches get executed first):

index=xx sourcetype=xx [|gentimes start=-1 | eval userID=tostring(yournumbergoeshere,"hex") | fields userID]

_d_
Splunk Employee
Splunk Employee

You'll need an eval-based macro for that. And tonumber() is not the right function, you'll need tostring().

  1. Create a Macro that has the eval-based definition checked (in Advanced Search | Macros)
  2. Call it in your search before the first pipe

Macro Name: toHex(1)
Macro Definition: tostring("\"".tostring($idDecimal$, "hex")."\"")

Usage: index=xx sourcetype=xx `toHex(22)`

In your form obviously you'd need to substitue 22 above with the userId token.

RMartinezDTV
Path Finder

This works! My final version was replace(tostring("".tostring($subid$, "hex").""),"x","") where I replace the 0x with just 0 as I need 8 digits with a 0-pad in front.

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...