I'm trying to integrate McAfee data into ES and I am having difficulties using the datamodel command.
Why does this search work (it returns results):
| datamodel "Malware" "Malware_Attacks" search | where 'Malware_Attacks.category'="av.detect"
And this one does not (does not return results, but i do not get syntax errors):
| datamodel "Malware" "Malware_Attacks" search | search 'Malware_Attacks.category'="av.detect"
Thanks,
Chris
Update
This works:
| datamodel "Malware" "Malware_Attacks" search | search "Malware_Attacks.category"="av.detect"
And so does this:
| datamodel "Malware" "Malware_Attacks" search | search Malware_Attacks.category="av.detect"
I guess the question should be: When do I need to surround a field name with single ticks, when are double ticks ok and when do I not need them at all?
Hi chris,
I cannot answer why it is this way; but from my experience and tests I can try to answer on how to use it.
Let's start with the difference of where
and search
:
where
if you want to compare two fields valuesearch
if you want to search for a field containing a string or valueNext, there is a little hint in the docs http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Where
If the expression references a field name that contains non-alphanumeric characters, it needs to be surrounded by single quotes; for example, new=count+'server-1'.
If the expression references literal strings that contains non-alphanumeric characters, it needs to be surrounded by double quotes; for example, new="server-"+count.
Now, let's test this with this run everywhere commands, all done on the same server over Previous week
timerange:
| datamodel "internal_server" "systemwide_search_load_" search | eval foo="15" | where 'server.active_hist_searches'>='foo'
| datamodel "internal_server" "systemwide_search_load_" search | eval foo="15" | where 'server.active_hist_searches'>=foo
| datamodel "internal_server" "systemwide_search_load_" search | search server.active_hist_searches>=15
| datamodel "internal_server" "systemwide_search_load_" search | search "server.active_hist_searches">=15
All the above searches will work, because they use the correct search syntax and the result is 108
events.
| datamodel "internal_server" "systemwide_search_load_" search | search "server.active_hist_searches">="15"
| datamodel "internal_server" "systemwide_search_load_" search | search server.active_hist_searches>="15"
The above searches will return wrong events, because they search for literal string values of 15, the result is 566
events.
| datamodel "internal_server" "systemwide_search_load_" search | eval foo="15" | where "server.active_hist_searches">='foo'
| datamodel "internal_server" "systemwide_search_load_" search | eval foo="15" | where "server.active_hist_searches">="foo"
| datamodel "internal_server" "systemwide_search_load_" search | eval foo="15" | where "server.active_hist_searches">=foo
The above searches will not work, because it will references literal strings that contains non-alphanumeric characters as field, the result in this case is 811
or all events.
| datamodel "internal_server" "systemwide_search_load_" search | eval foo="15" | where server.active_hist_searches>=foo
| datamodel "internal_server" "systemwide_search_load_" search | eval foo="15" | where 'server.active_hist_searches'>="foo"
This will not work at all, returning 0
events.
So, after all this testing I can say the following:
'
single quotes when using the where
command"
double quotes or no quotes when using the search
commandHope this helps ....
cheers, MuS
PS: if you need the **why* it is this way, open a support case or ask the same on the IRC channel #splunk @ efnet.org*
Hi chris,
I cannot answer why it is this way; but from my experience and tests I can try to answer on how to use it.
Let's start with the difference of where
and search
:
where
if you want to compare two fields valuesearch
if you want to search for a field containing a string or valueNext, there is a little hint in the docs http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Where
If the expression references a field name that contains non-alphanumeric characters, it needs to be surrounded by single quotes; for example, new=count+'server-1'.
If the expression references literal strings that contains non-alphanumeric characters, it needs to be surrounded by double quotes; for example, new="server-"+count.
Now, let's test this with this run everywhere commands, all done on the same server over Previous week
timerange:
| datamodel "internal_server" "systemwide_search_load_" search | eval foo="15" | where 'server.active_hist_searches'>='foo'
| datamodel "internal_server" "systemwide_search_load_" search | eval foo="15" | where 'server.active_hist_searches'>=foo
| datamodel "internal_server" "systemwide_search_load_" search | search server.active_hist_searches>=15
| datamodel "internal_server" "systemwide_search_load_" search | search "server.active_hist_searches">=15
All the above searches will work, because they use the correct search syntax and the result is 108
events.
| datamodel "internal_server" "systemwide_search_load_" search | search "server.active_hist_searches">="15"
| datamodel "internal_server" "systemwide_search_load_" search | search server.active_hist_searches>="15"
The above searches will return wrong events, because they search for literal string values of 15, the result is 566
events.
| datamodel "internal_server" "systemwide_search_load_" search | eval foo="15" | where "server.active_hist_searches">='foo'
| datamodel "internal_server" "systemwide_search_load_" search | eval foo="15" | where "server.active_hist_searches">="foo"
| datamodel "internal_server" "systemwide_search_load_" search | eval foo="15" | where "server.active_hist_searches">=foo
The above searches will not work, because it will references literal strings that contains non-alphanumeric characters as field, the result in this case is 811
or all events.
| datamodel "internal_server" "systemwide_search_load_" search | eval foo="15" | where server.active_hist_searches>=foo
| datamodel "internal_server" "systemwide_search_load_" search | eval foo="15" | where 'server.active_hist_searches'>="foo"
This will not work at all, returning 0
events.
So, after all this testing I can say the following:
'
single quotes when using the where
command"
double quotes or no quotes when using the search
commandHope this helps ....
cheers, MuS
PS: if you need the **why* it is this way, open a support case or ask the same on the IRC channel #splunk @ efnet.org*
Thanks for testing the different variations.