Splunk Search

Need help with eval and if then statement - showing errors.

UMDTERPS
Communicator
| inputlookup list.csv 
| eval newbigfix=if(bigfix = 1,1,0)
| eval newnorton=if(norton = 1,3,0)
| eval newmcafee=if(mcafee = 1,6,0)
| eval search_score = newbigfix  + newnorton  + newmcafee

The above search works and returns all of the columns needed and adds the correct numbers to the columns.

However, I am trying run an eval and if then statement after the above search as follows:

| inputlookup list.csv 
| eval newbigfix=if(bigfix = 1,1,0)
| eval newnorton=if(norton = 1,3,0)
| eval newmcafee=if(mcafee = 1,6,0)
| eval search_score = newbigfix  + newnorton  + newmcafee
| eval search1 = if (search_score == 1, [search index="bigfix" IPAddress ="198.168.1.25" | table IPAddress, CompName, MAC , OS, Manufacturer, Model], "")

The above search fails with the following error:

Error in 'eval' command: Fields cannot
be assigned a boolean result. Instead,
try if([bool expr], [expr], [expr]).
The search job has failed due to an
error. You may be able view the job in
the Job Inspector.

If I run just the search:

|search index="bigfix" IPAddress ="198.168.1.25" | table IPAddress, CompName, MAC , OS, Manufacturer, Model

It runs just fine.

Any ideas why the | eval search1 = if is not working?

0 Karma

woodcock
Esteemed Legend

Maybe this?

index="bigfix"
[|inputlookup list.csv 
| eval search_score = if(bigfix = 1,1,0) + if(norton = 1,3,0) + if(mcafee = 1,6,0)
| where search_score==1
| rename ip AS IPAddress
| table IPAddress]
| table IPAddress, CompName, MAC , OS, Manufacturer, Model
0 Karma

woodcock
Esteemed Legend

Give me a mockup of what you expect search1 to contain at the end.

0 Karma

UMDTERPS
Communicator

We have 4 fields in the | inputlookup list.csv as follows:

ip                 bigfix       norton      mcafee 
198.168.1.25       1          0                 0

1. | inputlookup list.csv 
2. | eval newbigfix=if(bigfix = 1,1,0)
3. | eval newnorton=if(norton = 1,3,0)
4. | eval newmcafee=if(mcafee = 1,6,0)
5. | eval search_score = newbigfix + newnorton + newmcafee

The if then eval statements looks at the fields to see if there is a 0 or 1 in each of the agent fields and then creates a new column called “search_score” by adding all of the numbers agent field numbers together and assigns a score:

ip                bigfix        norton      mcafee     search_score
198.168.1.25       1           0                      0     1

For example, in the case of 198.168.1.25, the if than statement sees that there is a 1 for bigfix and a 0 for norton and mcafee. The final eval statement will add all of the scores together and assign a score. In this case, because 198.168.1.25 only has a 1 for bigfix and 0 for norton and mcafee, it will be assigned a 1 for the newly created "search_score" field.

  1. | eval search1 = if (search_score == 1, [search index="bigfix" IPAddress ="198.168.1.25" | table IPAddress, CompName, MAC , OS, Manufacturer, Model], "")

In regards to your question, “search1" looks to see which ips have a search score equal to 1, because we know that having a search_score equal to 1 can only mean the ip has a 1 for big fix. search1 will return the following fields from bigfix- IPAddress, CompName, MAC , OS, Manufacturer, Model. If the ip has a search_score of 4, we know the ip has bigfix and norton, search1 will return fields from bigfix and norton. I chose just to use bigfix in search1 as an example to make it less complicated to explain for help.

Does that help in better understanding of what search 1 is suppose to do?

0 Karma

woodcock
Esteemed Legend

I know that you are trying but it still makes absolutely no sense to me at all. Let's go back around again. Show me 5 lines of what the output is after the | eval search_score = newbigfix + newnortn + newmcafee line executes. Then DO NOT SHOW ANY MORE SPL. Just show me how you would like those 5 lines transformed for your final result.

0 Karma

vishaltaneja070
Motivator

Try this:
| makeresults | eval bigfix=1 | eval norton=1 | eval mcafee=0
| eval newbigfix=if(bigfix = 1,1,0)
| eval newnorton=if(norton = 1,3,0)
| eval newmcafee=if(mcafee = 1,6,0)
| eval search_score = newbigfix + newnorton + newmcafee
| eval search1 = if (search_score == 4, "index=bigfix IPAddress =198.168.1.25 | table IPAddress CompName MAC OS Manufacturer Model","")

0 Karma

UMDTERPS
Communicator

Error in 'makeresults' command: This
command must be the first command of a
search. The search job has failed due
to an error. You may be able view the
job in the Job Inspector.

0 Karma

UMDTERPS
Communicator

Hello!

For this search we are using a lookuptable (CSV), so | inputlookup list.csv needs to be there.

For further clarification the eval statement below:

| inputlookup list.csv
| eval newbigfix=if(bigfix = 1,1,0)
| eval newnorton=if(norton = 1,3,0)
| eval newmcafee=if(mcafee = 1,6,0)
| eval search_score = newbigfix + newnorton + newmcafee
adds

| eval newbigfix=if(bigfix = 1,1,0)

What this statement is saying is that if the ip has a 1 in the bigfix field we assign it a 1, if it doesn't -it assigns it a 0 (because it doesn't have big fix). The number it gets assigned goes into the "newbigfix" field.

The above is that same for all 3 eval statements. Once the "New" score is assigned for a given IP, I do an eval to add up all of the numbers and place the number in a new field called "search score":

| eval search_score = newbigfix + newnorton + newmcafee

In order to return the correct fields, I use another eval statement "search1" to return fields based on the "search_score"

| eval search1 = if (search_score == 1, [search index="bigfix" IPAddress ="198.168.1.25" | table IPAddress, CompName, MAC , OS, Manufacturer, Model], "")
0 Karma

adonio
Ultra Champion

try this:

| where index="bigfix" IPAddress ="198.168.1.25" | table IPAddress, CompName, MAC , OS, Manufacturer, Model

0 Karma
Get Updates on the Splunk Community!

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

 Clayton Homes faced the increased challenge of strengthening their security posture as they went through ...

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

We’re happy to announce the release of Mission Control 2.3 which includes several new and exciting features ...

Cloud Platform | Migrating your Splunk Cloud deployment to Python 3.7

Python 2.7, the last release of Python 2, reached End of Life back on January 1, 2020. As part of our larger ...