Splunk Search

Why can't I use subsearch in the case function in the eval command?

Path Finder

Why can't use subsearch in case command?

index="01firewall" sourcetype="01firewall"
[search index=webping | rename pingurl as url| dedup url| fields url| search url="http://www.aaa.com"
| join type=left url [SEARCH index="lookup" sourcetype="url
info" earliest=-24h] | fields - time |rename ip as search]
| fields SourceIP DestinationIP Count Action PacketSize
| search
| eval attacketIP=case(SourceIP=="**[search index=webping | rename ping
url as url| dedup url| fields url| search url="http://www.aaa.com"
| join type=left url [SEARCH index="lookup" sourcetype="urlinfo" earliest=-24h] | fields - _time |rename ipaddr as search]", DestinationIP
, DestinationIP=="
[search index=webping | rename pingurl as url| dedup url| fields url| search url="http://www.aaa.com"
| join type=left url [SEARCH index="lookup" sourcetype="url
info" earliest=-24h] | fields - time |rename ipaddr as search]**" , SourceIP)
|search NOT attacketIP="NOT" | geoip attacketIP | table attacketIP Count attacketIPcountryname Action PacketSize

1 Solution

SplunkTrust
SplunkTrust

I don't think there is any particular reason why you should not be able to do this. But, you have to really nail it syntactically.

I did some experimenting with searches SIMILAR to yours, but not exactly like it. As Sorkin mentions in http://splunk-base.splunk.com/answers/7244/using-a-subsearch-in-an-eval-line if you rename the output field of a subsearch to query then it gets emitted pretty much plain-jane into the outer search. (As the docs explain at http://docs.splunk.com/Documentation/Splunk/latest/User/HowSubsearchesWork search is another output field from subsearches that gets formatted specially, and the format search command can be used to manipulate the whole output mechanism)

My search turned out to look like:

sourcetype=mysourcetype
| eval bobby=case(
  host==[ search sourcetype=mysourcetype
    | head 1 
    | rename host as query 
    | fields query 
    | eval query="\"".query."\"" ],"woo-host-1",
  host==[ search sourcetype=mysourcetype 
    | tail 1
    | rename host as query 
    | fields query 
    | eval query="\"".query."\"" ],"woo-host-2"
  )

The above search makes a new field called bobby that is set based on the value of host compared to the value of host coming out of two different subsearches.

This gets tricky because the result of each subsearch gets inserted into the main search as verbatim text (because we returned the query field from the subsearch). Not all values of query coming out of subsearch can stand alone and make sense. In the simplest example of eval, to set a field to a specific string value, you must do:

... | eval foo="bar"

It does not work to do:

... | eval foo=bar

So, I had to add in an additional eval within each subsearch to make sure the string coming out of it was surrounded by quotes -- otherwise it will not work. (Numeric values, however, do seem to work without the additional eval within the subsearch.)

View solution in original post

Path Finder

This query is successively executed in Search bar. But It is not work in dashboard.
eval ipaddr="\"".ipaddr."\"" =>> How can i changed query in xml

i try to change that
eval ipaddr="\"".ipaddr."\""

eval ipaddr=""".ipaddr."""

index="01firewall" sourcetype="01firewall"
[search index=webping | rename pingurl as url| dedup url| fields url| search $url$
| join type=left url [SEARCH index="lookup" sourcetype="url
info" earliest=-24h] | fields - time |rename ipaddr as search]
| fields SourceIP DestinationIP Count Action PacketSize

        | eval ip_addr = [search index=webping | rename ping_url as url| dedup url| fields url| search $url$ 
        | join type=left url [SEARCH index="lookup" sourcetype="url_info" earliest=-24h] | fields - _time | fields ip_addr 
        | ***eval ip_addr="\"".ip_addr."\""*** | rename ip_addr as search]

        | search 
        | eval attackerIP=case(SourceIP==ip_addr , DestinationIP , DestinationIP==ip_addr  , SourceIP,1==1,"NOT") 
        |search NOT attackerIP="NOT" | geoip attackerIP | table attackerIP Count attackerIP_country_name Action PacketSize
0 Karma

SplunkTrust
SplunkTrust

You might be better off to move this into a separate question entirely. But, briefly, your view XML might be more friendly to this search if you use CDATA -- http://splunk-base.splunk.com/answers/3435/escape-and-in-the-xml-of-dashboards

0 Karma

SplunkTrust
SplunkTrust

I don't think there is any particular reason why you should not be able to do this. But, you have to really nail it syntactically.

I did some experimenting with searches SIMILAR to yours, but not exactly like it. As Sorkin mentions in http://splunk-base.splunk.com/answers/7244/using-a-subsearch-in-an-eval-line if you rename the output field of a subsearch to query then it gets emitted pretty much plain-jane into the outer search. (As the docs explain at http://docs.splunk.com/Documentation/Splunk/latest/User/HowSubsearchesWork search is another output field from subsearches that gets formatted specially, and the format search command can be used to manipulate the whole output mechanism)

My search turned out to look like:

sourcetype=mysourcetype
| eval bobby=case(
  host==[ search sourcetype=mysourcetype
    | head 1 
    | rename host as query 
    | fields query 
    | eval query="\"".query."\"" ],"woo-host-1",
  host==[ search sourcetype=mysourcetype 
    | tail 1
    | rename host as query 
    | fields query 
    | eval query="\"".query."\"" ],"woo-host-2"
  )

The above search makes a new field called bobby that is set based on the value of host compared to the value of host coming out of two different subsearches.

This gets tricky because the result of each subsearch gets inserted into the main search as verbatim text (because we returned the query field from the subsearch). Not all values of query coming out of subsearch can stand alone and make sense. In the simplest example of eval, to set a field to a specific string value, you must do:

... | eval foo="bar"

It does not work to do:

... | eval foo=bar

So, I had to add in an additional eval within each subsearch to make sure the string coming out of it was surrounded by quotes -- otherwise it will not work. (Numeric values, however, do seem to work without the additional eval within the subsearch.)

View solution in original post

Path Finder

Thank you very much.

0 Karma