topic Re: Search dont work in Splunk Search

Search dont work

cesarb — Mon, 23 Apr 2018 10:27:03 GMT

Hi,
I want to show the number of all my downloads with a Splunk search, but the search shows never all downloads how i want it.
Here is my search:

index=abc sourcetype=xyz country="USA" | top limit=2000 filetype| rename count AS "number of downloads"

For exampel, this search doesn't show the filetype pdf.

But the search:
index abc sourcetype = xyz country="USA" filetype=pdf |top limit=2000 filetype| rename count AS "number of downloads"

show that there are a big number of pdf's

and when i change the search to

index abc sourcetype = xyz country="USA" filetype=pdf OR fieltype=txt |top limit=2000 filetype| rename count AS "number of downloads"

There are NO results displayed

With the search
index abc sourcetype = xyz country="USA" |top limit=2000 filetype|search filetype=pdf fieltype=txt |rename count AS "number of downloads there are no results displayed too.

Did anybody of you know a answer, what ist my fault? I want to show all filetypes, but it is important that the pdf's dont will be ignored.

Thank you very much for your help, and sorry if this is to incomprehensible.

Re: Search dont work

FrankVl — Mon, 23 Apr 2018 13:36:52 GMT

Not sure why the PDFs don't show up. Is the number of those sufficient to expect it in the top 2000?

Your last 2 searches contain a typo: fieltype instead of filetype.

Re: Search dont work

koenV — Mon, 23 Apr 2018 13:49:47 GMT

Continuing on FrankVIs answer, you can also try to use count by as follows:

index=abc sourcetype=xyz country="USA" | stats count(filetype) AS "number of downloads" by filetype

If your amount of data is not incredibly large this should run just fine. From the results you should be able to see how many PDFs, txts etc. you have. Then you can conclude easily whether or not the PDFs will show up in the top limit=2000 filetype part of your query.

Also, Splunk has a built in "helper" to inspect your ran queries ("jobs"): Beneath the search input bar there is an item called "Job v" from which you can click "Inspect Job" to see some more information about it. Often if no results are returned this can give you some insights as to why no results were returned. In the case of your latter two queries it will likely say something along the lines of "couldn't run query: at ". Try it out some time, it can really be helpful!

Re: Search dont work

p_gurav — Mon, 23 Apr 2018 14:04:37 GMT

Can you simply try :

index=abc sourcetype=xyz country="USA" | stats count AS "number of downloads" by filetype

Re: Search dont work

gcusello — Mon, 23 Apr 2018 14:14:57 GMT

Hi cesarb,
at first you don't need to use the limit option

index=abc sourcetype=xyz country="USA" 
| top 2000 filetype
| rename count AS "number of downloads"

The first check you have to do is on the name of the field "filetype": is it correctly written?
if you copied it from a text editor there could be a non visible char (like tab).

Then perform the same check on sourcetype = xyz than one time has spaces and one time they aren't.

Then verify that filetype=pdf is correctly written: try using

filetype="*pdf*"

maybe there's a space.

Then in

index abc sourcetype = xyz country="USA" filetype=pdf OR fieltype=txt 
|top limit=2000 filetype
| rename count AS "number of downloads"

the filetype field isn't correctly written.
Then the search

index abc sourcetype = xyz country="USA" 
|top limit=2000 filetype
|search filetype=pdf fieltype=txt 
|rename count AS "number of downloads

cannot match any result because I don't think that an event could have at the same time filetype=pdf AND filetype=txt (maybe you forgot an OR).

I hope to help you.
Bye.
Giuseppe

Re: Search dont work

cesarb — Tue, 24 Apr 2018 07:52:15 GMT

Thank you very much for your answer.
But the fields are all written correctly, I just do a mistake in this example here, also there is no space.
And i tried to do this with an OR but it dont work, I dont understand why,

index abc sourcetype = xyz country="USA" filetype=pdf OR fieltype=txt |top limit=2000 filetype| rename count AS "number of downloads"

shows 1 pdf
and

index abc sourcetype = xyz country="USA" filetype=pdf |top limit=2000 filetype| rename count AS "number of downloads"

shows 100 pdfs.

Nevertheless, thank you very much!:)

Re: Search dont work

cesarb — Tue, 24 Apr 2018 07:52:51 GMT

Thanks but there is no different 😞

Re: Search dont work

cesarb — Tue, 24 Apr 2018 07:54:32 GMT

Yes, the number is really sufficient.. Its a big number...
Yes, i seen the spelling mistake, but it is just here in the example, in the real search is no spelling mistake

Re: Search dont work

FrankVl — Tue, 24 Apr 2018 08:21:07 GMT

Any chance you can share some screenshots of the various searches you've been trying and their results (and also add one for a | stats count by filetype? Just to see if we can spot something out of the ordinary...

Re: Search dont work

cesarb — Tue, 24 Apr 2018 09:03:19 GMT

Yes i uploaded some screenshots.

This is the search without a filter --> no pdf shown
https://prnt.sc/j9deav

This is the search with filter for pdf'S
https://prnt.sc/j9dg9g

This is the search with filter on pdf OR txt ---> no results! Why? Just pdf gives results..
https://prnt.sc/j9dgrd

This is the search with the stats count by filtetype
https://prnt.sc/j9dhdj

I hope you can seen the screenshots, i cant upload the screens here.
Thank you for your help!:)

Re: Search dont work

TISKAR — Tue, 24 Apr 2018 10:00:46 GMT

@cesarb, are you try by:

index abc sourcetype = xyz country="USA"  filetype=pdf OR fieltype=txt  |stats count by  filetype| sort -count 2000

can you share the result of this request please

Re: Search dont work

cesarb — Tue, 24 Apr 2018 10:18:46 GMT

Hi, thank you but it gives :"No results found. Try expanding the time range."

Here the screenshot: https://prnt.sc/j9ehea

When I just filter for pdf's, i get these result: https://prnt.sc/j9eilt

And i dont understand why it works for just pdf's, but not for more filters with an OR between it...

Re: Search dont work

damien_chillet — Tue, 24 Apr 2018 10:27:00 GMT

Could you try to add quotes around FileType field values and run the job in smart mode?

Re: Search dont work

TISKAR — Tue, 24 Apr 2018 10:32:16 GMT

can you please try by all time in place to 7 days
and verifie its FileType not filetype

Re: Search dont work

cesarb — Tue, 24 Apr 2018 10:40:24 GMT

When i use all time i get a result of count 2 pdf's... This is not correctly

Re: Search dont work

cesarb — Wed, 25 Apr 2018 06:34:57 GMT

I've tried it, it dont work.

Re: Search dont work

FrankVl — Wed, 25 Apr 2018 07:29:10 GMT

That's some really weird inconsistent behavior...

As someone already suggested in another comment: have you tried running these in smart mode rather than fast mode?

Re: Search dont work

cesarb — Wed, 25 Apr 2018 07:54:49 GMT

Yes, i've already tried this ...

Re: Search dont work

FrankVl — Wed, 25 Apr 2018 09:15:14 GMT

Oh, I just noticed you added the stats count behind the top. Can you please run that without the top command before it?