topic Re: multisearch in Splunk Search

multisearch

vmicovic2 — Tue, 02 Jun 2020 16:34:36 GMT

Dear,

couple hours i am trying to get:
i have one log with no similar way of words in one line... because of that i cannot get in one search what i need.
This two searches get what i need:
index=ise "authentication failed" "Administrator-Login"
index=ise "authentication failed" "UserName"
Now i want this two query to join in one and get results which admin login and user login have authentication failed...

thank you

Re: multisearch

wedge22 — Tue, 02 Jun 2020 16:40:49 GMT

Can you try something like this?

index=ise authentication="failed" Administrator="Login"
| table UserName

I suggest adding a sourcetype to the search as well in the future.

Re: multisearch

richgalloway — Tue, 02 Jun 2020 16:42:08 GMT

How about this?

index=ise "authentication failed" ("Administrator-Login" OR "UserName")

Re: multisearch

vmicovic2 — Tue, 02 Jun 2020 16:45:10 GMT

this cannot be done, because logs are like syslog, and cannot search by that fields .. 😞

Re: multisearch

vmicovic2 — Tue, 02 Jun 2020 16:45:30 GMT

in that query, i don`t see administrator logins... 😕

Re: multisearch

493669 — Tue, 02 Jun 2020 17:00:16 GMT

can you try-

index=ise  ("authentication failed" "Administrator-Login") OR ("authentication failed" "UserName")

Re: multisearch

vmicovic2 — Tue, 02 Jun 2020 17:06:23 GMT

seems that`s what i need, how now to sort it by count?

Re: multisearch

493669 — Tue, 02 Jun 2020 17:08:41 GMT

try below-

...|sort 0 - count

Re: multisearch

vmicovic2 — Tue, 02 Jun 2020 17:11:46 GMT

yes that and make it like table, to visualize instead to show logs?

Re: multisearch

493669 — Tue, 02 Jun 2020 17:17:01 GMT

to show in tabular format use table command and then specify your field names-

...|table fieldname

...|table *

Re: multisearch

wedge22 — Tue, 02 Jun 2020 17:18:44 GMT

Use the

| table

to create a table of any fields you are interested in, the results from the search should provide interesting fields on the left of the search panel, then use

| sort

Re: multisearch

vmicovic2 — Tue, 02 Jun 2020 17:32:55 GMT

nope, whatever i done, cannot get it...
what about multisearch?

Re: multisearch

493669 — Tue, 02 Jun 2020 17:37:57 GMT

which query did you tried? what is your sample output till now and what output you are expecting?

Re: multisearch

vmicovic2 — Tue, 02 Jun 2020 17:38:03 GMT

hm, seems this is fine:
index=ise ("authentication failed" "Administrator-Login") OR ("authentication failed" "UserName")
| table AdminName UserName
| sort 0 - count

now i need instead couple same usernames in list, to be just counted, not repeated ...

Re: multisearch

493669 — Tue, 02 Jun 2020 17:45:53 GMT

if you want to count by UserName and AdminName
then try-

...|stats count by UserName AdminName

Re: multisearch

vmicovic2 — Tue, 02 Jun 2020 17:48:57 GMT

with that 0 score.
With only "stats count by UserName" i see all except admin accounts...
so now, i need only more to show/include admin count..

Re: multisearch

vmicovic2 — Tue, 02 Jun 2020 18:23:21 GMT

which seems impossible and because of that i want to try multi search option?
but never used...

Re: multisearch

vmicovic2 — Tue, 02 Jun 2020 19:23:01 GMT

succeeded with:
index=ise ("authentication failed" "Administrator-Login") OR ("authentication failed" "UserName")
| stats count by UserName
| append
[search index=ise ("authentication failed" "Administrator-Login") OR ("authentication failed" "UserName")
| stats count by AdminName]