Splunk Search

help on eval command

jip31
Motivator

Hi

When I run the command below, it works fine

 

index=toto event_id=4688 |
 eval file_name=if(event_id==4688, replace(NewProcessName, "^*\\\\([^\\\\]+)$","\\1"),null)

 

Now I need to combine this search with a subearch

 

index=toto event_id=4688 
| eval file_name=if(event_id==4688, replace(NewProcessName, "^*\\\\([^\\\\]+)$","\\1"),null)
[| inputlookup test where software=pm
| table pm
|rename pm as file_name
| format]
| stats values(file_name) as file_name.....

 

But i have the message "Error in "EvalCommand": The expression is malformed

What is wrong please?

Labels (1)
Tags (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Depending on what you mean by "cross", the search command may do the job.

index=toto event_id=4688 
| eval file_name=replace(NewProcessName, "^*\\\\([^\\\\]+)$","\\1")
| search [| inputlookup test where software=pm
  | table pm
  | rename pm as file_name
  | format]
| stats values(file_name) as file_name.....
---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

You can't use subsearches in this way.

What are you trying to achieve?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Remember that subsearches run first and their results become text that replace the subsearch in the query.  So, if the subsearch returns "foo.exe" (the value of file_name) then the query becomes

index=toto event_id=4688 
| eval file_name=if(event_id==4688, replace(NewProcessName, "^*\\\\([^\\\\]+)$","\\1"),null)
foo.exe
stats values(file_name) as file_name.....

See the problem?  "foo.exe" and the following stats command are considered part of the eval command because there is no intervening |.

The fix depends on what you want the query to do.

---
If this reply helps you, Karma would be appreciated.
0 Karma

jip31
Motivator

I forgotten a pipe before stats

I need to cross the event_file field of the index (called NewProcessName) with the event_file field of the lookup

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Depending on what you mean by "cross", the search command may do the job.

index=toto event_id=4688 
| eval file_name=replace(NewProcessName, "^*\\\\([^\\\\]+)$","\\1")
| search [| inputlookup test where software=pm
  | table pm
  | rename pm as file_name
  | format]
| stats values(file_name) as file_name.....
---
If this reply helps you, Karma would be appreciated.
0 Karma

jip31
Motivator

I need to join the file_name field between subsearch and main search

Your example is like what I done but i have an error message like i said in my example

I have also tested to put a rex field just before the stats command, I have no error but also no results even if a common event exists between the main search and the subsearch.....

| rex field=NewProcessName "(?<file_name>\w+\w+\.exe)"
| stats values(file_name) as file_name....
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Let's take a step back.  What is the desired output of this query?  Is it to list the file names that are in both the index and the lookup?  Something else?

My latest example is *like* what you've already done, but is different and should have a different result.  Have you run it?  If so, what is the exact text of the error(s)?

Please eliminate the ellipsis in the stats command.  The behavior of the command can change depending on the hidden arguments.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...