Use a Function without Running a Search

pfernandez133 · ‎06-18-2014

Hey guys, is it possible to run an eval function in the search bar without piping a search to it?

In an attempt to test the urldecode function, I'm trying to run the following on the search bar:

| eval x=urldecode("http%3A%2F%2Fwww.blah.com%2Fsomething%2Fsomething-something") | search x!=""

I'm just trying to see what that urldecode function will do with that string, but, I would like to be able to do something like this with other functions in the future.

Any thoughts?

Thanks!

somesoni2 · ‎06-18-2014

There are multiple options, here are 2 of them

|stats count | eval x=urldecode("http%3A%2F%2Fwww.blah.com%2Fsomething%2Fsomething-something") | fields - count | search x!=""


| gentimes start=-1 | eval x=urldecode("http%3A%2F%2Fwww.blah.com%2Fsomething%2Fsomething-something") | table x | search x!=""

pfernandez133 · ‎06-18-2014

That works, thanks!

bkirk · ‎06-18-2014

This is a search but you throw out the results and just return the results of your eval function:

sourcetype="lsof" |head 1 | eval x=urldecode("http%3A%2F%2Fwww.blah.com%2Fsomething%2Fsomething-something") |table x

You can use any sourcetype, I just picked one that should available for everyone.

pfernandez133 · ‎06-18-2014

That also works, thanks!

Use a Function without Running a Search

Operationalizing TDIR: Building a More Resilient, Scalable SOC

Pro Tips for First-Time .conf Attendees: Advice from SplunkTrust

Raise Your Skills at the .conf25 Builder Bar: Your Splunk Developer Destination

Are you a member of the Splunk Community?

Use a Function without Running a Search

Operationalizing TDIR: Building a More Resilient, Scalable SOC

Pro Tips for First-Time .conf Attendees: Advice from SplunkTrust

Raise Your Skills at the .conf25 Builder Bar: Your Splunk Developer Destination