Solved: help on eval command

jip31 · ‎09-14-2023

Hi

When I run the command below, it works fine

index=toto event_id=4688 |
 eval file_name=if(event_id==4688, replace(NewProcessName, "^*\\\\([^\\\\]+)$","\\1"),null)

Now I need to combine this search with a subearch

index=toto event_id=4688 
| eval file_name=if(event_id==4688, replace(NewProcessName, "^*\\\\([^\\\\]+)$","\\1"),null)
[| inputlookup test where software=pm
| table pm
|rename pm as file_name
| format]
| stats values(file_name) as file_name.....

But i have the message "Error in "EvalCommand": The expression is malformed

What is wrong please?

richgalloway · ‎09-14-2023

Depending on what you mean by "cross", the search command may do the job.

index=toto event_id=4688 
| eval file_name=replace(NewProcessName, "^*\\\\([^\\\\]+)$","\\1")
| search [| inputlookup test where software=pm
  | table pm
  | rename pm as file_name
  | format]
| stats values(file_name) as file_name.....

---
If this reply helps you, Karma would be appreciated.

View solution in original post

ITWhisperer · ‎09-14-2023

You can't use subsearches in this way.

What are you trying to achieve?

richgalloway · ‎09-14-2023

Remember that subsearches run first and their results become text that replace the subsearch in the query. So, if the subsearch returns "foo.exe" (the value of file_name) then the query becomes

index=toto event_id=4688 
| eval file_name=if(event_id==4688, replace(NewProcessName, "^*\\\\([^\\\\]+)$","\\1"),null)
foo.exe
stats values(file_name) as file_name.....

See the problem? "foo.exe" and the following stats command are considered part of the eval command because there is no intervening |.

The fix depends on what you want the query to do.

---
If this reply helps you, Karma would be appreciated.

jip31 · ‎09-14-2023

I forgotten a pipe before stats

I need to cross the event_file field of the index (called NewProcessName) with the event_file field of the lookup

richgalloway · ‎09-14-2023

Depending on what you mean by "cross", the search command may do the job.

index=toto event_id=4688 
| eval file_name=replace(NewProcessName, "^*\\\\([^\\\\]+)$","\\1")
| search [| inputlookup test where software=pm
  | table pm
  | rename pm as file_name
  | format]
| stats values(file_name) as file_name.....

---
If this reply helps you, Karma would be appreciated.

jip31 · ‎09-14-2023

I need to join the file_name field between subsearch and main search

Your example is like what I done but i have an error message like i said in my example

I have also tested to put a rex field just before the stats command, I have no error but also no results even if a common event exists between the main search and the subsearch.....

| rex field=NewProcessName "(?<file_name>\w+\w+\.exe)"
| stats values(file_name) as file_name....

richgalloway · ‎09-14-2023

Let's take a step back. What is the desired output of this query? Is it to list the file names that are in both the index and the lookup? Something else?

My latest example is *like* what you've already done, but is different and should have a different result. Have you run it? If so, what is the exact text of the error(s)?

Please eliminate the ellipsis in the stats command. The behavior of the command can change depending on the hidden arguments.

---
If this reply helps you, Karma would be appreciated.

help on eval command

other

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!