Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Dropdown input token needs to match rex field in search

genesiusj
Builder
‎07-17-2019 06:16 AM

Hello,
I have searched Answers and will continue to search after I post this. I'm not sure I am entering the correct search terms.

I have a input dropdown (dynamic) on a dashboard. Note: This works with no issues

     <input type="dropdown" token="sudoUserName">
        <label>Select a User ID.</label>
        <prefix>sudoID="</prefix>
        <suffix>"</suffix>
        <default>*</default>
        <choice value="*">All</choice>
        <fieldForLabel>sudoID</fieldForLabel>
        <fieldForValue>sudoID</fieldForValue>
        <search>
          <query>
            index=linuxevents process="sudo" AND "COMMAND="
            | rex field=_raw ".*sudo:\s(?&lt;SLMsudo&gt;.*$)"
            | rex field=SLMsudo "(?&lt;sudoID&gt;[A-Za-z0-9]+).*COMMAND=(?&lt;sudoCommand&gt;.*$)"
            | dedup sudoID
          </query>
          <earliest>$Selected_Time_Range.earliest$</earliest>
          <latest>$Selected_Time_Range.latest$</latest>
        </search>
     </input>

Problem.
I need to match the token sudoUserName to the field sudoID. However, the field sudoID is a field created during running of the below SPL using rex on _raw, which creates SLMsudo. From there another rex to create sudoID. I only want events where the sudoID matches the sudoUserName. (Apologies if I am repeating myself.)

Here is the code for that portion.

index=linuxevents process="sudo" AND "COMMAND=" AND $sudoUserName$
| rex field=_raw ".*sudo:\s(?&lt;SLMsudo&gt;.*$)"
| rex field=SLMsudo "(?&lt;sudoID&gt;[A-Za-z0-9]+).*COMMAND=(?&lt;sudoCommand&gt;.*$)"
| eval sudoID=$sudoUserName$
| table SLMsudo, sudoID, host, sudoCommand, _time

The eval command is kicking off this error.
Error in 'eval' command: Fields cannot be assigned a boolean result. Instead, try if([boolean expr], [expr], [expr]).

Please let me know if there is any other information you require.

Thanks and God bless,
Genesius

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

vnravikumar
Champion
‎07-17-2019 09:07 PM

Hi

Try the below query

index=linuxevents process="sudo" AND "COMMAND=" AND $sudoUserName$
 | rex field=_raw ".*sudo:\s(?<SLMsudo>.*$)"
 | rex field=SLMsudo "(?<sudoID>[A-Za-z0-9]+).*COMMAND=(?<sudoCommand>.*$)"
 | where $sudoUserName$
 | table SLMsudo, sudoID, host, sudoCommand, _time

View solution in original post

0 Karma
Reply
Solved! Jump to solution

genesiusj
Builder
‎07-18-2019 11:30 AM

@vnravikumar
I had tried
| where $sudoUserName$
before. Forgot to list in the previous response.

However, this time, I also removed
AND $sudoUserName$
from the first line, and now it works.

It works for all possible values of sudoUserName except for All.

Thanks and God bless,
Genesius

0 Karma
Reply
Solved! Jump to solution

genesiusj
Builder
‎07-18-2019 07:33 AM

@vnravikumar
Thanks for the answer. However, it still isn't working.
Here are the error messages from your command, and some others I tried.
From the dropdown in my original post (code) I selected root (sudoUserName). I've tried with other names in the dropdown list with the same errors.

| where sudoID=$sudoUserName$
Error in 'where' command: The operator at '="root" is invalid.

| where eval sudoID=$sudoUserName$
Error in 'where' command: The operator at 'sudoID=sudoID="root" is invalid.

| eval where sudoID=$sudoUserName$
Error in 'eval' command: Fields cannot be assigned a boolean result. Instead, try if([bool expr], [expr], [expr]).

Thanks and God bless,
Genesius

0 Karma
Reply
Solved! Jump to solution

vnravikumar
Champion
‎07-18-2019 08:15 AM

Hi

try exactly with| where $sudoUserName$

index=linuxevents process="sudo" AND "COMMAND="
  | rex field=_raw ".*sudo:\s(?<SLMsudo>.*$)"
  | rex field=SLMsudo "(?<sudoID>[A-Za-z0-9]+).*COMMAND=(?<sudoCommand>.*$)"
  | where $sudoUserName$
  | table SLMsudo, sudoID, host, sudoCommand, _time
0 Karma
Reply
Solved! Jump to solution

vnravikumar
Champion
‎07-18-2019 12:03 PM

hi

try with search instead of where in the query

| search $sudoUserName$
0 Karma
Reply
Solved! Jump to solution

genesiusj
Builder
‎07-22-2019 01:23 PM

@vnravikumar
SEARCH worked over WHERE
Thanks and God bless,
Genesius

0 Karma
Reply
Solved! Jump to solution
Solution

vnravikumar
Champion
‎07-17-2019 09:07 PM

Hi

Try the below query

index=linuxevents process="sudo" AND "COMMAND=" AND $sudoUserName$
 | rex field=_raw ".*sudo:\s(?<SLMsudo>.*$)"
 | rex field=SLMsudo "(?<sudoID>[A-Za-z0-9]+).*COMMAND=(?<sudoCommand>.*$)"
 | where $sudoUserName$
 | table SLMsudo, sudoID, host, sudoCommand, _time
0 Karma
Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...