Hello,
I have searched Answers and will continue to search after I post this. I'm not sure I am entering the correct search terms.
I have a input dropdown (dynamic) on a dashboard. Note: This works with no issues
<input type="dropdown" token="sudoUserName">
<label>Select a User ID.</label>
<prefix>sudoID="</prefix>
<suffix>"</suffix>
<default>*</default>
<choice value="*">All</choice>
<fieldForLabel>sudoID</fieldForLabel>
<fieldForValue>sudoID</fieldForValue>
<search>
<query>
index=linuxevents process="sudo" AND "COMMAND="
| rex field=_raw ".*sudo:\s(?<SLMsudo>.*$)"
| rex field=SLMsudo "(?<sudoID>[A-Za-z0-9]+).*COMMAND=(?<sudoCommand>.*$)"
| dedup sudoID
</query>
<earliest>$Selected_Time_Range.earliest$</earliest>
<latest>$Selected_Time_Range.latest$</latest>
</search>
</input>
Problem.
I need to match the token sudoUserName to the field sudoID. However, the field sudoID is a field created during running of the below SPL using rex on _raw, which creates SLMsudo. From there another rex to create sudoID. I only want events where the sudoID matches the sudoUserName. (Apologies if I am repeating myself.)
Here is the code for that portion.
index=linuxevents process="sudo" AND "COMMAND=" AND $sudoUserName$
| rex field=_raw ".*sudo:\s(?<SLMsudo>.*$)"
| rex field=SLMsudo "(?<sudoID>[A-Za-z0-9]+).*COMMAND=(?<sudoCommand>.*$)"
| eval sudoID=$sudoUserName$
| table SLMsudo, sudoID, host, sudoCommand, _time
The eval command is kicking off this error.
Error in 'eval' command: Fields cannot be assigned a boolean result. Instead, try if([boolean expr], [expr], [expr]).
Please let me know if there is any other information you require.
Thanks and God bless,
Genesius
Hi
Try the below query
index=linuxevents process="sudo" AND "COMMAND=" AND $sudoUserName$
| rex field=_raw ".*sudo:\s(?<SLMsudo>.*$)"
| rex field=SLMsudo "(?<sudoID>[A-Za-z0-9]+).*COMMAND=(?<sudoCommand>.*$)"
| where $sudoUserName$
| table SLMsudo, sudoID, host, sudoCommand, _time
@vnravikumar
I had tried
| where $sudoUserName$
before. Forgot to list in the previous response.
However, this time, I also removed
AND $sudoUserName$
from the first line, and now it works.
It works for all possible values of sudoUserName except for All.
Thanks and God bless,
Genesius
@vnravikumar
Thanks for the answer. However, it still isn't working.
Here are the error messages from your command, and some others I tried.
From the dropdown in my original post (code) I selected root (sudoUserName). I've tried with other names in the dropdown list with the same errors.
| where sudoID=$sudoUserName$
Error in 'where' command: The operator at '="root" is invalid.
| where eval sudoID=$sudoUserName$
Error in 'where' command: The operator at 'sudoID=sudoID="root" is invalid.
| eval where sudoID=$sudoUserName$
Error in 'eval' command: Fields cannot be assigned a boolean result. Instead, try if([bool expr], [expr], [expr]).
Thanks and God bless,
Genesius
Hi
try exactly with| where $sudoUserName$
index=linuxevents process="sudo" AND "COMMAND="
| rex field=_raw ".*sudo:\s(?<SLMsudo>.*$)"
| rex field=SLMsudo "(?<sudoID>[A-Za-z0-9]+).*COMMAND=(?<sudoCommand>.*$)"
| where $sudoUserName$
| table SLMsudo, sudoID, host, sudoCommand, _time
hi
try with search instead of where in the query
| search $sudoUserName$
@vnravikumar
SEARCH worked over WHERE
Thanks and God bless,
Genesius
Hi
Try the below query
index=linuxevents process="sudo" AND "COMMAND=" AND $sudoUserName$
| rex field=_raw ".*sudo:\s(?<SLMsudo>.*$)"
| rex field=SLMsudo "(?<sudoID>[A-Za-z0-9]+).*COMMAND=(?<sudoCommand>.*$)"
| where $sudoUserName$
| table SLMsudo, sudoID, host, sudoCommand, _time