Splunk Search

Can you help me with a query involving the eval command?

ColinJacksonPS
Path Finder

I'm trying to set up a search for when a user disables their 2FA vs when IT disables it for them.

I have the User Account and the Actor account.

index=auth sourcetype=auth mfa* (actor.displayName="*") legacyEventType="core.user.factor.deactivate" 
|stats count by "actor.displayName", "target{}.displayName", "displayMessage", _time
|rename "actor.displayName" AS "Changed by","target{}.displayName" AS "Account Changed", displayMessage as "Action"

Results look like

Changed by  Account Changed      Action _time                 count
Bob Johnson Mike Smith  Reset factor for user   2018-10-09 15:16:19.880 1
Kelly Short Kelly Short Reset factor for user   2018-10-09 02:45:08.536 1

I'm trying to compare if the "Changed by" and "Account Changed" matched, and return just those results. And then, eval if it doesn't like to compare values and match() asks to compare a field to a regex.

Does anyone have any idea how to compare 2 field values from the same search?

Tags (4)
0 Karma
1 Solution

MuS
SplunkTrust
SplunkTrust

Hi ColinJacksonPS,

give this a try:

index=auth sourcetype=auth mfa* (actor.displayName="*") legacyEventType="core.user.factor.deactivate" 
 | stats count by "actor.displayName", "target{}.displayName", "displayMessage", _time
 | rename "actor.displayName" AS "Changed by","target{}.displayName" AS "Account Changed", displayMessage as "Action"
 | where 'Change by' = 'Account Changed'

This will compare the values of both fields and only show the ones that are same.

Hope this helps ...

cheers, MuS

View solution in original post

renjith_nair
SplunkTrust
SplunkTrust

@ColinJacksonPS,

Try renaming the fields with space , compare and change it back

 index=auth sourcetype=auth mfa* (actor.displayName="*") legacyEventType="core.user.factor.deactivate" 
 |stats count by "actor.displayName", "target{}.displayName", "displayMessage", _time
 |rename "actor.displayName" AS "Changed","target{}.displayName" AS "Account", displayMessage as "Action"
 |where Changed==Account
 |rename Changed as "Changed by",Account as "Account Changed"

OR evaluate to a variable

 index=auth sourcetype=auth mfa* (actor.displayName="*") legacyEventType="core.user.factor.deactivate" 
 |stats count by "actor.displayName", "target{}.displayName", "displayMessage", _time
 |rename "actor.displayName" AS "Changed","target{}.displayName" AS "Account", displayMessage as "Action"
 |eval isEqual=if(Changed==Account,"yes","no")
 |rename Changed as "Changed by",Account as "Account Changed"
Happy Splunking!
0 Karma

MuS
SplunkTrust
SplunkTrust

Hi ColinJacksonPS,

give this a try:

index=auth sourcetype=auth mfa* (actor.displayName="*") legacyEventType="core.user.factor.deactivate" 
 | stats count by "actor.displayName", "target{}.displayName", "displayMessage", _time
 | rename "actor.displayName" AS "Changed by","target{}.displayName" AS "Account Changed", displayMessage as "Action"
 | where 'Change by' = 'Account Changed'

This will compare the values of both fields and only show the ones that are same.

Hope this helps ...

cheers, MuS

chanfoli
Builder

I think where needs single quotes for field names which have non-alphanumerics.

0 Karma

MuS
SplunkTrust
SplunkTrust

yep, of course this always gets me eval() requires in this case a ' instead of " because using the " will tell eval() to compare two literal strings, not the values of two fields.

So,
using this | where "Change by" = "Account Changed" will compare two strings
using this | where 'Change by' = 'Account Changed' will compare the values of two fields

0 Karma

ColinJacksonPS
Path Finder

This did it. Single quotes FTW

    index=auth sourcetype=auth mfa* (actor.displayName="*") legacyEventType="core.user.factor.deactivate" 
     | stats count by "actor.displayName", "target{}.displayName", "displayMessage", _time
      | rename "actor.displayName" AS "Changed by","target{}.displayName" AS "Account Changed", displayMessage as "Action"
      | where 'Changed by' = 'Account Changed'

Thanks @MuS @chanfoli

0 Karma

ColinJacksonPS
Path Finder

No, doesn't work. I changed it to "Change*d* by" and the result is still blank. Finds the 3 events in Events tab, but not the Statistics tab.

0 Karma

ColinJacksonPS
Path Finder

Also tried |where.... ==...., but I don't think that works with the where command

0 Karma

MuS
SplunkTrust
SplunkTrust

try it without rename and the original field name in the where

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...