Splunk Search

meaning of match("-24h@h","^\d")

astatrial
Contributor

Hello
I have a query that create a field with a value i can't fully understand :
eval earliestQual=match("-24h@h","^\d") .

I understand that the result is the last day, but i don't understand the meaning of the expression "-24h@h" . It is not a field, so what is it, and where does it gets its value .

Thanks !!

0 Karma

woodcock
Esteemed Legend

The search is obviously part of a drilldown because nobody in his right mind would create | eval earliestQual=match("-24h@h","^\d") so it probably started out as something like | eval earliestQual=match($field_selector_value$,"^\d"), which totally could happen and makes sense. Now, back to your question, what is it doing?. It is checking to see if the string that is being tested (in this case -24@h) begins with a digit (which in this case, it does not). Now, why is it doing that?. Who knows.

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@astatrial ,

It doesn't seem to be a complete eval expression because:

  1. Match returns a boolean and can not be assigned to a field.
  2. -24h@h should be relative to a "time" - either current time (now()) or any other time field in epoch format.

Nevertheless, the meaning of this extract is

  • subsract 24hrs from the "time" and snap to the nearest hour. ( i.e. if the time is 06-Feb-2019 07:20 then -24h@h will result 05-Feb-2019 07:00)
  • Check whether the resulted time starts with a digit (not sure about the logic behind this check without knowing the full context)
Happy Splunking!
0 Karma

astatrial
Contributor

@renjith.nair
For some reason i couldn't comment to you in your answer.

This eval is part of the correlation search - "Endpoint - Anomalous New Processes" :


|from inputlookup:"localprocesses_tracker" | eval earliestQual=case(match("-24h@h", "^\d"), tostring("-24h@h"), match("-24h@h", "^([@+-]){1}"), relative_time(time(), "-24h@h"), true(), time()) | eval latestQual=case(match("+0s", "^\d"), tostring("+0s"), match("+0s", "^([@+-]){1}"), relative_time(time(), "+0s"), true(), time()) | where ('firstTime'>=earliestQual AND 'firstTime'<=latestQual) | fields - earliestQual, latestQual | stats dc(dest) as "dest_count",values(dest) as "dest" by "process" | where 'dest_count'>9

What i thought is that this eval calculates a time value of the last 24 hours depending on how the source time is represented.
I just didn't understand how the -24h@h knows which time source to refer.

I appreciate your help!!

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@astatrial ,
If its part of Enterprise Security, it might be part of the macros. localprocesses_tracker has mainly information about the process history (dest,firstime,lasttime,process) . So most probably whatever you are seeing is an expanded search with values substituted.

Happy Splunking!
0 Karma

astatrial
Contributor

you are right.
It is not the complete eval expression.
The complete eval expression is :

| eval earliestQual=case(match("-24h@h", "^\d"), tostring("-24h@h"), match("-24h@h", "^([@+-]){1}"), relative_time(time(), "-24h@h"), true(), time())

I just didn't want to confuse you with non relevant info.

The second clause in your answer is exactly my question - This expression isn't relative to any time, so how it is getting its value ?

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@astatrial ,
In a plain text search , it does not make much sense. However , I strongly believe that its part of a dashboard with a time input in it. In that case, -24h@h is not a string value in the search but a token in the form $some_token$ which carries value from the time input and this eval statement tries to find out what the user has opted from the time input

Happy Splunking!
0 Karma

astatrial
Contributor

This eval is part of the "Endpoint - Anomalous New Processes" correlation search. There is no use of token in it.

|from inputlookup:"localprocesses_tracker" | eval earliestQual=case(match("-24h@h", "^\d"), tostring("-24h@h"), match("-24h@h", "^([@+-]){1}"), relative_time(time(), "-24h@h"), true(), time()) | eval latestQual=case(match("+0s", "^\d"), tostring("+0s"), match("+0s", "^([@+-]){1}"), relative_time(time(), "+0s"), true(), time()) | where ('firstTime'>=earliestQual AND 'firstTime'<=latestQual) | fields - earliestQual, latestQual | stats dc(dest) as "dest_count",values(dest) as "dest" by "process" | where 'dest_count'>9

What i thought is that this eval calculate a time value of the last 24 hours in specific pattern depending on how the time is represented (i.e in the time picker). But i didn't understand how the expression -24h@h knows to get this value.
Is it some kind of known phrase in splunk?

I really appreciate your help ! |

0 Karma

jeffland
Champion

This code indeed looks familiar for a dashboard I've worked on once. I used eval in the change event of a time input in a case where I always needed an epoch value from the input, regardless of the actual selection (a time picker will return something like -1w for earliest if you select last week). It looked something like

<change>
  <eval token="time_earliest_alwaysepoch">case(match($value$, "^\d+"), $value$, match($value$, "[+-]\d+@?"), relative_time(now(), $value$)</eval>
</change>

This was to make sure I always had an epoch value in that token, and it led me to this discussion. I doubt your code makes sense, as @renjith.nair already pointed out in his comment.

0 Karma

vishaltaneja070
Motivator

Hello @astatrial

The above command is matching two values and the result will always be False. As there are one string and one regex need to compared. so it is just matching the value based on regex. And the regex need only first character as a digit, which is not the case with "-24h@h".

0 Karma

vishaltaneja070
Motivator

In normal cases like where you mention earliest=-24h@h, in that case it the time range will go back to last 24 hours and snap the hour field.

0 Karma
Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...