EVAL-Feature_Name - Githubissues

pdoconnell / TA-microsoft-windefender

Splunk TA for Windows Defender inputs and extractions.

Apache License 2.0

3 stars 5 forks source link

EVAL-Feature_Name #1

Open anoopdi opened 6 years ago

anoopdi commented 6 years ago

While going through the error/warning messages within my Splunk environment, i noticed following warning message which appears quite a number of times in a day.

"Invalid eval expression for 'EVAL-Feature_Name' in stanza [XmlWinEventLog:Microsoft-Windows-Windows Defender/Operational]. The expression is malformed. Expected )"

The currepsonding calulated field expression seem to be incomplete EVAL-Feature_Name = case(Feature_Name="%%802",

cbboggs commented 6 years ago

Here is a corrected EVAL statement..

EVAL-Feature_Name = case(Feature_Name="%%802","Antimalware",Feature_Name="%%801","AntiSpyware",Feature_Name="%%800","AntiVirus",Feature_Name="*",Feature_Name)

dpwtheitguy commented 3 years ago

fixes issue. Bump on getting this into splunkbase to code owner.

amdnox commented 3 years ago

Solves the issue, please merge into master!