Splunk Search

Why can't I use subsearch in the case function in the eval command?

ilove275
Path Finder

Why can't use subsearch in case command?

index="01_firewall" sourcetype="01_firewall"
[search index=webping | rename ping_url as url| dedup url| fields url| search url="http://www.aaa.com"
| join type=left url [SEARCH index="lookup" sourcetype="url_info" earliest=-24h] | fields - _time |rename ip as search]
| fields SourceIP DestinationIP Count Action PacketSize
| search
| eval attacketIP=case(SourceIP=="[search index=webping | rename ping_url as url| dedup url| fields url| search url="http://www.aaa.com"
| join type=left url [SEARCH index="lookup" sourcetype="url_info" earliest=-24h] | fields - _time |rename ip_addr as search]
", DestinationIP
, DestinationIP=="[search index=webping | rename ping_url as url| dedup url| fields url| search url="http://www.aaa.com"
| join type=left url [SEARCH index="lookup" sourcetype="url_info" earliest=-24h] | fields - _time |rename ip_addr as search]
" , SourceIP)
|search NOT attacketIP="NOT" | geoip attacketIP | table attacketIP Count attacketIP_country_name Action PacketSize

1 Solution

dwaddle
SplunkTrust
SplunkTrust

I don't think there is any particular reason why you should not be able to do this. But, you have to really nail it syntactically.

I did some experimenting with searches SIMILAR to yours, but not exactly like it. As Sorkin mentions in http://splunk-base.splunk.com/answers/7244/using-a-subsearch-in-an-eval-line if you rename the output field of a subsearch to query then it gets emitted pretty much plain-jane into the outer search. (As the docs explain at http://docs.splunk.com/Documentation/Splunk/latest/User/HowSubsearchesWork search is another output field from subsearches that gets formatted specially, and the format search command can be used to manipulate the whole output mechanism)

My search turned out to look like:

sourcetype=mysourcetype
| eval bobby=case(
  host==[ search sourcetype=mysourcetype
    | head 1 
    | rename host as query 
    | fields query 
    | eval query="\"".query."\"" ],"woo-host-1",
  host==[ search sourcetype=mysourcetype 
    | tail 1
    | rename host as query 
    | fields query 
    | eval query="\"".query."\"" ],"woo-host-2"
  )

The above search makes a new field called bobby that is set based on the value of host compared to the value of host coming out of two different subsearches.

This gets tricky because the result of each subsearch gets inserted into the main search as verbatim text (because we returned the query field from the subsearch). Not all values of query coming out of subsearch can stand alone and make sense. In the simplest example of eval, to set a field to a specific string value, you must do:

... | eval foo="bar"

It does not work to do:

... | eval foo=bar

So, I had to add in an additional eval within each subsearch to make sure the string coming out of it was surrounded by quotes -- otherwise it will not work. (Numeric values, however, do seem to work without the additional eval within the subsearch.)

View solution in original post

ilove275
Path Finder

This query is successively executed in Search bar. But It is not work in dashboard.
eval ip_addr="\"".ip_addr."\"" =>> How can i changed query in xml

i try to change that
eval ip_addr="\"".ip_addr."\""

eval ip_addr=""".ip_addr."""

index="01_firewall" sourcetype="01_firewall"
[search index=webping | rename ping_url as url| dedup url| fields url| search $url$
| join type=left url [SEARCH index="lookup" sourcetype="url_info" earliest=-24h] | fields - _time |rename ip_addr as search]
| fields SourceIP DestinationIP Count Action PacketSize

        | eval ip_addr = [search index=webping | rename ping_url as url| dedup url| fields url| search $url$ 
        | join type=left url [SEARCH index="lookup" sourcetype="url_info" earliest=-24h] | fields - _time | fields ip_addr 
        | ***eval ip_addr="\"".ip_addr."\""*** | rename ip_addr as search]

        | search 
        | eval attackerIP=case(SourceIP==ip_addr , DestinationIP , DestinationIP==ip_addr  , SourceIP,1==1,"NOT") 
        |search NOT attackerIP="NOT" | geoip attackerIP | table attackerIP Count attackerIP_country_name Action PacketSize
0 Karma

dwaddle
SplunkTrust
SplunkTrust

You might be better off to move this into a separate question entirely. But, briefly, your view XML might be more friendly to this search if you use CDATA -- http://splunk-base.splunk.com/answers/3435/escape-and-in-the-xml-of-dashboards

0 Karma

dwaddle
SplunkTrust
SplunkTrust

I don't think there is any particular reason why you should not be able to do this. But, you have to really nail it syntactically.

I did some experimenting with searches SIMILAR to yours, but not exactly like it. As Sorkin mentions in http://splunk-base.splunk.com/answers/7244/using-a-subsearch-in-an-eval-line if you rename the output field of a subsearch to query then it gets emitted pretty much plain-jane into the outer search. (As the docs explain at http://docs.splunk.com/Documentation/Splunk/latest/User/HowSubsearchesWork search is another output field from subsearches that gets formatted specially, and the format search command can be used to manipulate the whole output mechanism)

My search turned out to look like:

sourcetype=mysourcetype
| eval bobby=case(
  host==[ search sourcetype=mysourcetype
    | head 1 
    | rename host as query 
    | fields query 
    | eval query="\"".query."\"" ],"woo-host-1",
  host==[ search sourcetype=mysourcetype 
    | tail 1
    | rename host as query 
    | fields query 
    | eval query="\"".query."\"" ],"woo-host-2"
  )

The above search makes a new field called bobby that is set based on the value of host compared to the value of host coming out of two different subsearches.

This gets tricky because the result of each subsearch gets inserted into the main search as verbatim text (because we returned the query field from the subsearch). Not all values of query coming out of subsearch can stand alone and make sense. In the simplest example of eval, to set a field to a specific string value, you must do:

... | eval foo="bar"

It does not work to do:

... | eval foo=bar

So, I had to add in an additional eval within each subsearch to make sure the string coming out of it was surrounded by quotes -- otherwise it will not work. (Numeric values, however, do seem to work without the additional eval within the subsearch.)

ilove275
Path Finder

Thank you very much.

0 Karma
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...