Hi
When I run the command below, it works fine
index=toto event_id=4688 |
eval file_name=if(event_id==4688, replace(NewProcessName, "^*\\\\([^\\\\]+)$","\\1"),null)
Now I need to combine this search with a subearch
index=toto event_id=4688
| eval file_name=if(event_id==4688, replace(NewProcessName, "^*\\\\([^\\\\]+)$","\\1"),null)
[| inputlookup test where software=pm
| table pm
|rename pm as file_name
| format]
| stats values(file_name) as file_name.....
But i have the message "Error in "EvalCommand": The expression is malformed
What is wrong please?
Depending on what you mean by "cross", the search command may do the job.
index=toto event_id=4688
| eval file_name=replace(NewProcessName, "^*\\\\([^\\\\]+)$","\\1")
| search [| inputlookup test where software=pm
| table pm
| rename pm as file_name
| format]
| stats values(file_name) as file_name.....
You can't use subsearches in this way.
What are you trying to achieve?
Remember that subsearches run first and their results become text that replace the subsearch in the query. So, if the subsearch returns "foo.exe" (the value of file_name) then the query becomes
index=toto event_id=4688
| eval file_name=if(event_id==4688, replace(NewProcessName, "^*\\\\([^\\\\]+)$","\\1"),null)
foo.exe
stats values(file_name) as file_name.....
See the problem? "foo.exe" and the following stats command are considered part of the eval command because there is no intervening |.
The fix depends on what you want the query to do.
I forgotten a pipe before stats
I need to cross the event_file field of the index (called NewProcessName) with the event_file field of the lookup
Depending on what you mean by "cross", the search command may do the job.
index=toto event_id=4688
| eval file_name=replace(NewProcessName, "^*\\\\([^\\\\]+)$","\\1")
| search [| inputlookup test where software=pm
| table pm
| rename pm as file_name
| format]
| stats values(file_name) as file_name.....
I need to join the file_name field between subsearch and main search
Your example is like what I done but i have an error message like i said in my example
I have also tested to put a rex field just before the stats command, I have no error but also no results even if a common event exists between the main search and the subsearch.....
| rex field=NewProcessName "(?<file_name>\w+\w+\.exe)"
| stats values(file_name) as file_name....
Let's take a step back. What is the desired output of this query? Is it to list the file names that are in both the index and the lookup? Something else?
My latest example is *like* what you've already done, but is different and should have a different result. Have you run it? If so, what is the exact text of the error(s)?
Please eliminate the ellipsis in the stats command. The behavior of the command can change depending on the hidden arguments.