Splunk Search

meaning of match("-24h@h","^\d")

astatrial
Contributor

Hello
I have a query that create a field with a value i can't fully understand :
eval earliestQual=match("-24h@h","^\d") .

I understand that the result is the last day, but i don't understand the meaning of the expression "-24h@h" . It is not a field, so what is it, and where does it gets its value .

Thanks !!

0 Karma

woodcock
Esteemed Legend

The search is obviously part of a drilldown because nobody in his right mind would create | eval earliestQual=match("-24h@h","^\d") so it probably started out as something like | eval earliestQual=match($field_selector_value$,"^\d"), which totally could happen and makes sense. Now, back to your question, what is it doing?. It is checking to see if the string that is being tested (in this case -24@h) begins with a digit (which in this case, it does not). Now, why is it doing that?. Who knows.

0 Karma

renjith_nair
Legend

@astatrial ,

It doesn't seem to be a complete eval expression because:

  1. Match returns a boolean and can not be assigned to a field.
  2. -24h@h should be relative to a "time" - either current time (now()) or any other time field in epoch format.

Nevertheless, the meaning of this extract is

  • subsract 24hrs from the "time" and snap to the nearest hour. ( i.e. if the time is 06-Feb-2019 07:20 then -24h@h will result 05-Feb-2019 07:00)
  • Check whether the resulted time starts with a digit (not sure about the logic behind this check without knowing the full context)
---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma

astatrial
Contributor

@renjith.nair
For some reason i couldn't comment to you in your answer.

This eval is part of the correlation search - "Endpoint - Anomalous New Processes" :


|from inputlookup:"localprocesses_tracker" | eval earliestQual=case(match("-24h@h", "^\d"), tostring("-24h@h"), match("-24h@h", "^([@+-]){1}"), relative_time(time(), "-24h@h"), true(), time()) | eval latestQual=case(match("+0s", "^\d"), tostring("+0s"), match("+0s", "^([@+-]){1}"), relative_time(time(), "+0s"), true(), time()) | where ('firstTime'>=earliestQual AND 'firstTime'<=latestQual) | fields - earliestQual, latestQual | stats dc(dest) as "dest_count",values(dest) as "dest" by "process" | where 'dest_count'>9

What i thought is that this eval calculates a time value of the last 24 hours depending on how the source time is represented.
I just didn't understand how the -24h@h knows which time source to refer.

I appreciate your help!!

0 Karma

renjith_nair
Legend

@astatrial ,
If its part of Enterprise Security, it might be part of the macros. localprocesses_tracker has mainly information about the process history (dest,firstime,lasttime,process) . So most probably whatever you are seeing is an expanded search with values substituted.

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma

astatrial
Contributor

you are right.
It is not the complete eval expression.
The complete eval expression is :

| eval earliestQual=case(match("-24h@h", "^\d"), tostring("-24h@h"), match("-24h@h", "^([@+-]){1}"), relative_time(time(), "-24h@h"), true(), time())

I just didn't want to confuse you with non relevant info.

The second clause in your answer is exactly my question - This expression isn't relative to any time, so how it is getting its value ?

0 Karma

renjith_nair
Legend

@astatrial ,
In a plain text search , it does not make much sense. However , I strongly believe that its part of a dashboard with a time input in it. In that case, -24h@h is not a string value in the search but a token in the form $some_token$ which carries value from the time input and this eval statement tries to find out what the user has opted from the time input

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma

astatrial
Contributor

This eval is part of the "Endpoint - Anomalous New Processes" correlation search. There is no use of token in it.

|from inputlookup:"localprocesses_tracker" | eval earliestQual=case(match("-24h@h", "^\d"), tostring("-24h@h"), match("-24h@h", "^([@+-]){1}"), relative_time(time(), "-24h@h"), true(), time()) | eval latestQual=case(match("+0s", "^\d"), tostring("+0s"), match("+0s", "^([@+-]){1}"), relative_time(time(), "+0s"), true(), time()) | where ('firstTime'>=earliestQual AND 'firstTime'<=latestQual) | fields - earliestQual, latestQual | stats dc(dest) as "dest_count",values(dest) as "dest" by "process" | where 'dest_count'>9

What i thought is that this eval calculate a time value of the last 24 hours in specific pattern depending on how the time is represented (i.e in the time picker). But i didn't understand how the expression -24h@h knows to get this value.
Is it some kind of known phrase in splunk?

I really appreciate your help ! |

0 Karma

jeffland
SplunkTrust
SplunkTrust

This code indeed looks familiar for a dashboard I've worked on once. I used eval in the change event of a time input in a case where I always needed an epoch value from the input, regardless of the actual selection (a time picker will return something like -1w for earliest if you select last week). It looked something like

<change>
  <eval token="time_earliest_alwaysepoch">case(match($value$, "^\d+"), $value$, match($value$, "[+-]\d+@?"), relative_time(now(), $value$)</eval>
</change>

This was to make sure I always had an epoch value in that token, and it led me to this discussion. I doubt your code makes sense, as @renjith.nair already pointed out in his comment.

0 Karma

vishaltaneja070
Motivator

Hello @astatrial

The above command is matching two values and the result will always be False. As there are one string and one regex need to compared. so it is just matching the value based on regex. And the regex need only first character as a digit, which is not the case with "-24h@h".

0 Karma

vishaltaneja070
Motivator

In normal cases like where you mention earliest=-24h@h, in that case it the time range will go back to last 24 hours and snap the hour field.

0 Karma
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Deprecation of Splunk Observability Kubernetes “Classic Navigator” UI starting ...

Access to Splunk Observability Kubernetes “Classic Navigator” UI will no longer be available starting January ...

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...