topic Re: Why am I not getting a result? in All Apps and Add-ons

Why am I not getting a result?

albinortiz — Fri, 23 Mar 2018 15:50:02 GMT

The following code is intended to do several things. First, I am looking for all the hosts that are producing winevents and counting them.

index=winevents | dedup host| stats count as Total

Next, I do an ldapsearch for all computers in AD that have a Windows OS.

| append [ldapsearch search="(objectClass=computer)" attrs="cn,operatingSystem,operatingSystemVersion"
| lookup dnslookup clienthost AS cn
| search (opeartingSystem="Win*")]

Finally, I count those Windows computers and calculate a percentage between the Total computers and the Windows Computers

| stats count as WindowsComputers | append [makeresults [eval var = Total/WindowsComputers)]] | table var

The variable var is not displaying the percentage or anything whatsoever. Any ideas? this is the full code:

index=winevents 
| dedup host
| stats count as Total
| append [ldapsearch search="(objectClass=computer)" attrs="cn,operatingSystem,operatingSystemVersion"
| lookup dnslookup clienthost AS cn
| search (opeartingSystem="Win*")]
| stats count as WindowsComputers 
| append [makeresults [eval var = Total/WindowsComputers)]] 
| table var

Thanks in advance!

Re: Why am I not getting a result?

albinortiz — Fri, 23 Mar 2018 15:55:49 GMT

Line 8 should read | append [makeresults [eval var = Total/WindowsComputers)*100,1]]

Re: Why am I not getting a result?

tiagofbmm — Fri, 23 Mar 2018 16:01:01 GMT

Hey

First thing I'd change is the first query to index=winevents | stats dc(host) as Total

But coming to your issue, if your search is like this, after the makeresults you have a "[" and you must have a "|"

Re: Why am I not getting a result?

albinortiz — Fri, 23 Mar 2018 17:01:08 GMT

If I use index=winevents | stats dc(host) as Total, for some reason it won't bring the real amount.

I tried changing the syntax and nothing yet.

Re: Why am I not getting a result?

tiagofbmm — Fri, 23 Mar 2018 17:37:18 GMT

Can you try this by parts?

Is this returning events?

 index=winevents 
 | dedup host
 | stats count as Total

Is this returning events?

 index=winevents 
 | dedup host
 | stats count as Total

Is this returning events?

ldapsearch search="(objectClass=computer)" attrs="cn,operatingSystem,operatingSystemVersion"
 | lookup dnslookup clienthost AS cn
 | search (opeartingSystem="Win*")

And finally, have you changed to | append [ makeresults | eval var = Total/WindowsComputers) ] ??

Notice that | append [makeresults [eval var = Total/WindowsComputers)]] will never return results because it is a separate search that has no knowledge of the variables Total or WindowsComputers

Re: Why am I not getting a result?

albinortiz — Fri, 23 Mar 2018 17:55:28 GMT

@tiagofbmm Both queries return events. I use both on a different dashboard which works.

| append [ makeresults | eval var = Total/WindowsComputers) ] - No results found

Re: Why am I not getting a result?

tiagofbmm — Fri, 23 Mar 2018 18:04:59 GMT

Cool so as I told you, the last append has no knowledge of what the remaining things, mainly because the subsearches are run before the main search!

I believe what you need is this

 index=winevents 
 | dedup host
 | stats count as Total
 | appendcols [ldapsearch search="(objectClass=computer)" attrs="cn,operatingSystem,operatingSystemVersion"
 | lookup dnslookup clienthost AS cn
 | search (opeartingSystem="Win*")  | stats count as WindowsComputers ]
 | eval Percentage=Total/WindowsComputers

Re: Why am I not getting a result?

albinortiz — Fri, 23 Mar 2018 19:45:11 GMT

Still nothing man. It brings the Total but that's it.

Re: Why am I not getting a result?

tiagofbmm — Fri, 23 Mar 2018 19:51:40 GMT

This returns result?

| ldapsearch search="(objectClass=computer)" attrs="cn,operatingSystem,operatingSystemVersion"
  | lookup dnslookup clienthost AS cn
  | search (opeartingSystem="Win*")  | stats count as WindowsComputers

Re: Why am I not getting a result?

albinortiz — Fri, 23 Mar 2018 20:07:58 GMT

Yep. I have 900 computers in my network and it brings all 900

Re: Why am I not getting a result?

tiagofbmm — Fri, 23 Mar 2018 20:32:13 GMT

Hopefully not a stupid question at this time but... did you have the | in the ldapsearch?

Re: Why am I not getting a result?

tiagofbmm — Sat, 24 Mar 2018 07:09:16 GMT

Please let me know if the answer was useful for you. If it was, accept it and upvote. If not, give us more input so we can help you with that

Re: Why am I not getting a result?

albinortiz — Sat, 24 Mar 2018 07:29:14 GMT

I will get back to you Monday. Thanks!

Re: Why am I not getting a result?

albinortiz — Mon, 26 Mar 2018 13:20:43 GMT

I had the | in the ldapsearch but was missing the [.

Thanks for all the help!