___ # Tags #homelab #splunk #splunk-queries # Using the Eval command in a Splunk search - The differences between the `+` and the `.` characters when using eval is a little nuanced - Using `+` you can create a new field out of existing fields by adding them together - Using `.` you can append a string to the results in a field, examples below - Let's utilize Suricata logs for our example ```txt index IN (nids) alert.signature IN (*) `src_ip_is_local` | fields src_ip, dest_ip, dest_port, alert.signature, alert.signature_id, alert.gid, alert.category | eval host_info = 'src_ip' + 'dest_ip' + 'dest_port' | eval alert_and_signature_info = 'alert.signature' + 'alert.signature_id' + 'alert.gid' + 'alert.category' | table host_info, alert_and_signature_info ``` - A field called `host_info` and another called `alert_and_signature_info` have been created by declaring the relevant fields that will make up this custom field like `'field_name1' + 'field_name2'` - You don't use the double quotes here because then it will just create a string that makes up the new custom field vs declaring the fields you want to make up the new field ![[Pasted image 20220401182131.png]] - This creates the new custom fields and combines all of the declared fields we want to make up the new custom fields, however they are all smashed together. - It would be good to add some sort of divider here ## Utilizing . instead of + - Continuing to utilize Suricata logs for our example ```txt index IN (nids) alert.signature IN (*) `src_ip_is_local` | fields src_ip, dest_ip, dest_port, alert.signature, alert.signature_id, alert.gid, alert.category | eval "src_ip" = 'src_ip' . .99999 | table src_ip ``` - This is `eval-ing` the existing field `src_ip` (which is declared in double quotes) by equaling it to that field and concatenating the `.99999` at the end ![[Pasted image 20220401182602.png]] ## Eval chaining - You can add together numerous `eval` commands without declaring each of them - `| eval new_field = "string" , new_field2 = "string2"` - This is also creating new fields using `eval` ## Using case within an eval ```txt index IN (nids) alert.signature IN (*) `src_ip_is_local` | eval hostname_of_device = case('src_ip' = "192.168.77.20","jumpbox") | search hostname_of_device = jumpbox | stats count by hostname_of_device, alert.signature ``` - This search is saying where index is nids and contains an alert.signature field and the src\_ip\_is\_local eval the new field hostname\_of\_device IF it equals the src\_ip of 192.168.77.20 then create the output of jumpbox, then search for only the results equal to the new field's hostname of jumpbox then stats count by how many signatures that new field's hostname generated - Eval chaining can also be used for this as well ```txt index IN (nids) alert.signature IN (*) `src_ip_is_local` | eval vlan_of_device = case('src_ip' = "192.168.77.32","homenet", 'src_ip' = "192.168.88.22","labnet") | table src_ip, vlan_of_device, alert.signature ``` ![[Pasted image 20220401182619.png]] - The eval chain is now successfully showing the `vlan_of_device` field ```txt | eval vlan_of_device = case('src_ip' = "192.168.77.32","homenet", 'src_ip' = "192.168.88.22","labnet", 1=1, 'src_ip') ``` - In this snippet it evaluates the 2 src_ips as homenet and labnet but adds a `1=1, 'src_ip'` argument to the chain now, that will fill out the `vlan_of_device` field with the `'src_ip'` field's results if they do not match the eval parameters above resulting in this ![[Pasted image 20220401182632.png]]