Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Running an eval after a sub-search make my comparison negative

mybestfriendbob
Explorer
‎07-07-2021 06:12 AM

I am trying to make a comparison of one field against itself but from a previous day.  The use case is I'm trying to see if that value changes from day to day, the field is a file hash.  I sun a search for today and rename the field I want to compare then run a subsearch and rename the field again so I can then compare them after the subsearch finishes but the eval always evaluates to false and displays the last response you place in the eval line.  

My code:

index=my_index RuleName="Monitor The File" FileName="file.exe" earliest="06/11/2021:00:00:00" latest="06/11/2021:24:00:00"
| rename FileHash as "todays_hash"
| append [ search index=my_index RuleName="Monitor The File" FileName="file.exe" earliest="06/12/2021:00:00:00" latest="06/12/2021:24:00:00"
| rename FileHash as "yesterdays_hash"]
| eval description=case(todays_hash=yesterdays_hash,"Hash has not changed", todays_hash!=yesterdays_hash,"Hash has changed")
| table description todays_hash yesterdays_hash

 

I have tried changing the order of the eval putting != before == and it will always take the second options.  The table it showing the eval results and the 2 hashes.

Thanks!

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-07-2021 07:20 AM

The append command creates separate events for the results of the subsearch.  IOW, the first set of events will contain a todays_hash field, but not a yesterdays_hash" field and the appended events will contain a yesterdays_hash field, but not a todays_hash field.  The solution is to use the stats command to combine the events on a common field.

index=my_index RuleName="Monitor The File" FileName="file.exe" earliest="06/11/2021:00:00:00" latest="06/11/2021:24:00:00"
| rename FileHash as "yesterdays_hash"
| append [ search index=my_index RuleName="Monitor The File" 
  FileName="file.exe" earliest="06/12/2021:00:00:00" 
  latest="06/12/2021:24:00:00"
| rename FileHash as "todays_hash"]
| stats values(*) as * by FileName
| eval description=case(todays_hash=yesterdays_hash,"Hash has not changed", todays_hash!=yesterdays_hash,"Hash has changed")
| table FileName description todays_hash yesterdays_hash
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

mybestfriendbob
Explorer
‎07-08-2021 06:31 AM

That worked perfectly, thanks!

0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎07-07-2021 09:48 AM

@mybestfriendbob 

You can try this also.

index=my_index RuleName="Monitor The File" FileName="file.exe" earliest=-1d@d
| eval FileHash = if( _time>=relative_time(now(), "@d"),FileHash,null())
| eval PrevFileHash = if( _time<relative_time(now(), "@d"),FileHash,null())
| stats values(*) as * by FileName 
| eval description=case(FileHash=PrevFileHash,"Hash has not changed", FileHash!=PrevFileHash,"Hash has changed") 
| table FileName description FileHash PrevFileHash

 

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-07-2021 07:20 AM

The append command creates separate events for the results of the subsearch.  IOW, the first set of events will contain a todays_hash field, but not a yesterdays_hash" field and the appended events will contain a yesterdays_hash field, but not a todays_hash field.  The solution is to use the stats command to combine the events on a common field.

index=my_index RuleName="Monitor The File" FileName="file.exe" earliest="06/11/2021:00:00:00" latest="06/11/2021:24:00:00"
| rename FileHash as "yesterdays_hash"
| append [ search index=my_index RuleName="Monitor The File" 
  FileName="file.exe" earliest="06/12/2021:00:00:00" 
  latest="06/12/2021:24:00:00"
| rename FileHash as "todays_hash"]
| stats values(*) as * by FileName
| eval description=case(todays_hash=yesterdays_hash,"Hash has not changed", todays_hash!=yesterdays_hash,"Hash has changed")
| table FileName description todays_hash yesterdays_hash
---
If this reply helps you, Karma would be appreciated.
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...