Hi guys
I have this search:
| datamodel "Malware" "Malware_Attacks" search | `drop_dm_object_name(Malware_Attacks)` |`map_notable_fields` | search abc
It does NOT filter on the abc content.
If I do this:
| datamodel "Malware" "Malware_Attacks" search | `drop_dm_object_name(Malware_Attacks)` | search abc |`map_notable_fields`
it works.
I can see in the job inspector that the first search adds a "| noop" to the normalized search just before the "|search abc":
| search (tag=attack tag=malware (index=* OR index=_*) (index="estreamer" OR index="pan" OR index="trendmicro" OR index="wineventlog")) DIRECTIVES(READ_SUMMARY(allow_old_summaries="false" dmid="FAC94FC4-23AE-44F4-BA73-E65513A137DB_DM_Splunk_SA_CIM_Malware" name="Malware.Malware_Attacks" predicate="*" summariesonly="false"),REQUIRED_TAGS(intersect="t" tags="pci")) | eval action=if((isnull(action) OR (action == "")),"unknown",action), category=if((isnull(category) OR (category == "")),"unknown",category), date=strftime('_time',"%m-%d-%Y"), signature=if((isnull(signature) OR (signature == "")),"unknown",signature), dest=if((isnull(dest) OR (dest == "")),"unknown",dest), dest_nt_domain=if((isnull(dest_nt_domain) OR (dest_nt_domain == "")),"unknown",dest_nt_domain), user=if((isnull(user) OR (user == "")),"unknown",user), vendor_product=case(isnotnull(vendor_product),vendor_product,(((isnotnull(vendor) AND (vendor != "unknown")) AND isnotnull(product)) AND (product != "unknown")),((vendor . " ") . product),((isnotnull(vendor) AND (vendor != "unknown")) AND (isnull(product) OR (product == "unknown"))),(vendor . " unknown"),(((isnull(vendor) OR (vendor == "unknown")) AND isnotnull(product)) AND (product != "unknown")),("unknown " . product),isnotnull(sourcetype),sourcetype,true(),"unknown"), is_Allowed_Malware=if(searchmatch("action=\"allowed\""),1,0), is_not_Allowed_Malware=(1 - is_Allowed_Malware), is_Blocked_Malware=if(searchmatch("action=\"blocked\""),1,0), is_not_Blocked_Malware=(1 - is_Blocked_Malware), is_Deferred_Malware=if(searchmatch("action=\"deferred\""),1,0), is_not_Deferred_Malware=(1 - is_Deferred_Malware) | rename action as "Malware_Attacks.action", category as "Malware_Attacks.category", date as "Malware_Attacks.date", dest as "Malware_Attacks.dest", dest_bunit as "Malware_Attacks.dest_bunit", dest_category as "Malware_Attacks.dest_category", dest_nt_domain as "Malware_Attacks.dest_nt_domain", dest_priority as "Malware_Attacks.dest_priority", dest_requires_av as "Malware_Attacks.dest_requires_av", file_hash as "Malware_Attacks.file_hash", file_name as "Malware_Attacks.file_name", file_path as "Malware_Attacks.file_path", is_Allowed_Malware as "Malware_Attacks.is_Allowed_Malware", is_Blocked_Malware as "Malware_Attacks.is_Blocked_Malware", is_Deferred_Malware as "Malware_Attacks.is_Deferred_Malware", is_not_Allowed_Malware as "Malware_Attacks.is_not_Allowed_Malware", is_not_Blocked_Malware as "Malware_Attacks.is_not_Blocked_Malware", is_not_Deferred_Malware as "Malware_Attacks.is_not_Deferred_Malware", sender as "Malware_Attacks.sender", signature as "Malware_Attacks.signature", src as "Malware_Attacks.src", src_bunit as "Malware_Attacks.src_bunit", src_category as "Malware_Attacks.src_category", src_priority as "Malware_Attacks.src_priority", tag as "Malware_Attacks.tag", url as "Malware_Attacks.url", user as "Malware_Attacks.user", user_bunit as "Malware_Attacks.user_bunit", user_category as "Malware_Attacks.user_category", user_priority as "Malware_Attacks.user_priority", vendor_product as "Malware_Attacks.vendor_product" | fields + _time, host, source, sourcetype, "Malware_Attacks.dest_bunit", "Malware_Attacks.dest_category", "Malware_Attacks.dest_priority", "Malware_Attacks.dest_requires_av", "Malware_Attacks.file_hash", "Malware_Attacks.file_name", "Malware_Attacks.file_path", "Malware_Attacks.sender", "Malware_Attacks.src", "Malware_Attacks.src_bunit", "Malware_Attacks.src_category", "Malware_Attacks.src_priority", "Malware_Attacks.tag", "Malware_Attacks.url", "Malware_Attacks.user_bunit", "Malware_Attacks.user_category", "Malware_Attacks.user_priority", "Malware_Attacks.action", "Malware_Attacks.category", "Malware_Attacks.date", "Malware_Attacks.signature", "Malware_Attacks.dest", "Malware_Attacks.dest_nt_domain", "Malware_Attacks.user", "Malware_Attacks.vendor_product", "Malware_Attacks.is_Allowed_Malware", "Malware_Attacks.is_not_Allowed_Malware", "Malware_Attacks.is_Blocked_Malware", "Malware_Attacks.is_not_Blocked_Malware", "Malware_Attacks.is_Deferred_Malware", "Malware_Attacks.is_not_Deferred_Malware" | rename "Malware_Attacks.*" as "*" | noop| search abc
Do any of you know why this is the behavior, and why the macro in itself changes Splunks behavior.
Also if I expand the macros, my search works fine, and the noop is not added in the expanded search.
This is also the behavior in the search app, and not just the ES search.
↧