Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Running an eval after a sub-search make my comparison negative

mybestfriendbob
Explorer
‎07-07-2021 06:12 AM

I am trying to make a comparison of one field against itself but from a previous day.  The use case is I'm trying to see if that value changes from day to day, the field is a file hash.  I sun a search for today and rename the field I want to compare then run a subsearch and rename the field again so I can then compare them after the subsearch finishes but the eval always evaluates to false and displays the last response you place in the eval line.  

My code:

index=my_index RuleName="Monitor The File" FileName="file.exe" earliest="06/11/2021:00:00:00" latest="06/11/2021:24:00:00"
| rename FileHash as "todays_hash"
| append [ search index=my_index RuleName="Monitor The File" FileName="file.exe" earliest="06/12/2021:00:00:00" latest="06/12/2021:24:00:00"
| rename FileHash as "yesterdays_hash"]
| eval description=case(todays_hash=yesterdays_hash,"Hash has not changed", todays_hash!=yesterdays_hash,"Hash has changed")
| table description todays_hash yesterdays_hash

 

I have tried changing the order of the eval putting != before == and it will always take the second options.  The table it showing the eval results and the 2 hashes.

Thanks!

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-07-2021 07:20 AM

The append command creates separate events for the results of the subsearch.  IOW, the first set of events will contain a todays_hash field, but not a yesterdays_hash" field and the appended events will contain a yesterdays_hash field, but not a todays_hash field.  The solution is to use the stats command to combine the events on a common field.

index=my_index RuleName="Monitor The File" FileName="file.exe" earliest="06/11/2021:00:00:00" latest="06/11/2021:24:00:00"
| rename FileHash as "yesterdays_hash"
| append [ search index=my_index RuleName="Monitor The File" 
  FileName="file.exe" earliest="06/12/2021:00:00:00" 
  latest="06/12/2021:24:00:00"
| rename FileHash as "todays_hash"]
| stats values(*) as * by FileName
| eval description=case(todays_hash=yesterdays_hash,"Hash has not changed", todays_hash!=yesterdays_hash,"Hash has changed")
| table FileName description todays_hash yesterdays_hash
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

mybestfriendbob
Explorer
‎07-08-2021 06:31 AM

That worked perfectly, thanks!

0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎07-07-2021 09:48 AM

@mybestfriendbob 

You can try this also.

index=my_index RuleName="Monitor The File" FileName="file.exe" earliest=-1d@d
| eval FileHash = if( _time>=relative_time(now(), "@d"),FileHash,null())
| eval PrevFileHash = if( _time<relative_time(now(), "@d"),FileHash,null())
| stats values(*) as * by FileName 
| eval description=case(FileHash=PrevFileHash,"Hash has not changed", FileHash!=PrevFileHash,"Hash has changed") 
| table FileName description FileHash PrevFileHash

 

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-07-2021 07:20 AM

The append command creates separate events for the results of the subsearch.  IOW, the first set of events will contain a todays_hash field, but not a yesterdays_hash" field and the appended events will contain a yesterdays_hash field, but not a todays_hash field.  The solution is to use the stats command to combine the events on a common field.

index=my_index RuleName="Monitor The File" FileName="file.exe" earliest="06/11/2021:00:00:00" latest="06/11/2021:24:00:00"
| rename FileHash as "yesterdays_hash"
| append [ search index=my_index RuleName="Monitor The File" 
  FileName="file.exe" earliest="06/12/2021:00:00:00" 
  latest="06/12/2021:24:00:00"
| rename FileHash as "todays_hash"]
| stats values(*) as * by FileName
| eval description=case(todays_hash=yesterdays_hash,"Hash has not changed", todays_hash!=yesterdays_hash,"Hash has changed")
| table FileName description todays_hash yesterdays_hash
---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...