Splunk Search

Why can't I use subsearch in the case function in the eval command?

ilove275
Path Finder

Why can't use subsearch in case command?

index="01_firewall" sourcetype="01_firewall"
[search index=webping | rename ping_url as url| dedup url| fields url| search url="http://www.aaa.com"
| join type=left url [SEARCH index="lookup" sourcetype="url_info" earliest=-24h] | fields - _time |rename ip as search]
| fields SourceIP DestinationIP Count Action PacketSize
| search
| eval attacketIP=case(SourceIP=="[search index=webping | rename ping_url as url| dedup url| fields url| search url="http://www.aaa.com"
| join type=left url [SEARCH index="lookup" sourcetype="url_info" earliest=-24h] | fields - _time |rename ip_addr as search]
", DestinationIP
, DestinationIP=="[search index=webping | rename ping_url as url| dedup url| fields url| search url="http://www.aaa.com"
| join type=left url [SEARCH index="lookup" sourcetype="url_info" earliest=-24h] | fields - _time |rename ip_addr as search]
" , SourceIP)
|search NOT attacketIP="NOT" | geoip attacketIP | table attacketIP Count attacketIP_country_name Action PacketSize

1 Solution

dwaddle
SplunkTrust
SplunkTrust

I don't think there is any particular reason why you should not be able to do this. But, you have to really nail it syntactically.

I did some experimenting with searches SIMILAR to yours, but not exactly like it. As Sorkin mentions in http://splunk-base.splunk.com/answers/7244/using-a-subsearch-in-an-eval-line if you rename the output field of a subsearch to query then it gets emitted pretty much plain-jane into the outer search. (As the docs explain at http://docs.splunk.com/Documentation/Splunk/latest/User/HowSubsearchesWork search is another output field from subsearches that gets formatted specially, and the format search command can be used to manipulate the whole output mechanism)

My search turned out to look like:

sourcetype=mysourcetype
| eval bobby=case(
  host==[ search sourcetype=mysourcetype
    | head 1 
    | rename host as query 
    | fields query 
    | eval query="\"".query."\"" ],"woo-host-1",
  host==[ search sourcetype=mysourcetype 
    | tail 1
    | rename host as query 
    | fields query 
    | eval query="\"".query."\"" ],"woo-host-2"
  )

The above search makes a new field called bobby that is set based on the value of host compared to the value of host coming out of two different subsearches.

This gets tricky because the result of each subsearch gets inserted into the main search as verbatim text (because we returned the query field from the subsearch). Not all values of query coming out of subsearch can stand alone and make sense. In the simplest example of eval, to set a field to a specific string value, you must do:

... | eval foo="bar"

It does not work to do:

... | eval foo=bar

So, I had to add in an additional eval within each subsearch to make sure the string coming out of it was surrounded by quotes -- otherwise it will not work. (Numeric values, however, do seem to work without the additional eval within the subsearch.)

View solution in original post

ilove275
Path Finder

This query is successively executed in Search bar. But It is not work in dashboard.
eval ip_addr="\"".ip_addr."\"" =>> How can i changed query in xml

i try to change that
eval ip_addr="\"".ip_addr."\""

eval ip_addr=""".ip_addr."""

index="01_firewall" sourcetype="01_firewall"
[search index=webping | rename ping_url as url| dedup url| fields url| search $url$
| join type=left url [SEARCH index="lookup" sourcetype="url_info" earliest=-24h] | fields - _time |rename ip_addr as search]
| fields SourceIP DestinationIP Count Action PacketSize

        | eval ip_addr = [search index=webping | rename ping_url as url| dedup url| fields url| search $url$ 
        | join type=left url [SEARCH index="lookup" sourcetype="url_info" earliest=-24h] | fields - _time | fields ip_addr 
        | ***eval ip_addr="\"".ip_addr."\""*** | rename ip_addr as search]

        | search 
        | eval attackerIP=case(SourceIP==ip_addr , DestinationIP , DestinationIP==ip_addr  , SourceIP,1==1,"NOT") 
        |search NOT attackerIP="NOT" | geoip attackerIP | table attackerIP Count attackerIP_country_name Action PacketSize
0 Karma

dwaddle
SplunkTrust
SplunkTrust

You might be better off to move this into a separate question entirely. But, briefly, your view XML might be more friendly to this search if you use CDATA -- http://splunk-base.splunk.com/answers/3435/escape-and-in-the-xml-of-dashboards

0 Karma

dwaddle
SplunkTrust
SplunkTrust

I don't think there is any particular reason why you should not be able to do this. But, you have to really nail it syntactically.

I did some experimenting with searches SIMILAR to yours, but not exactly like it. As Sorkin mentions in http://splunk-base.splunk.com/answers/7244/using-a-subsearch-in-an-eval-line if you rename the output field of a subsearch to query then it gets emitted pretty much plain-jane into the outer search. (As the docs explain at http://docs.splunk.com/Documentation/Splunk/latest/User/HowSubsearchesWork search is another output field from subsearches that gets formatted specially, and the format search command can be used to manipulate the whole output mechanism)

My search turned out to look like:

sourcetype=mysourcetype
| eval bobby=case(
  host==[ search sourcetype=mysourcetype
    | head 1 
    | rename host as query 
    | fields query 
    | eval query="\"".query."\"" ],"woo-host-1",
  host==[ search sourcetype=mysourcetype 
    | tail 1
    | rename host as query 
    | fields query 
    | eval query="\"".query."\"" ],"woo-host-2"
  )

The above search makes a new field called bobby that is set based on the value of host compared to the value of host coming out of two different subsearches.

This gets tricky because the result of each subsearch gets inserted into the main search as verbatim text (because we returned the query field from the subsearch). Not all values of query coming out of subsearch can stand alone and make sense. In the simplest example of eval, to set a field to a specific string value, you must do:

... | eval foo="bar"

It does not work to do:

... | eval foo=bar

So, I had to add in an additional eval within each subsearch to make sure the string coming out of it was surrounded by quotes -- otherwise it will not work. (Numeric values, however, do seem to work without the additional eval within the subsearch.)

ilove275
Path Finder

Thank you very much.

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...