topic Re: Not getting any data in Splunk Search

Not getting any data

Michael_Schyma1 — Tue, 17 Jul 2012 16:09:06 GMT

index="Server" (CategoryString="Account Management" OR TaskCategory="Security Group Management" ) (Message="Security Enabled*" OR Message="A member was added to a*") ( EventCode=632 OR EventCode=636 OR EventCode=4728 OR EventCode=4732) | top member, group, caller, name, host, Security_ID | fields member, group, caller, name, host, Security_ID| eval caller = if(isnull(Account_Name), Caller_User_Name, mvindex(Account_Name,0)) | eval member = if(isnull(Account_Name), Member_Name, mvindex(Account_Name,1)) | eval group = if(isnull(Target_Account_Name), Group_Name, Target_Account_Name) | search group="*Domain Admins" OR “*Administrators” OR “*ACCOUNT OPERATORS” OR “*Enterprise Admins” OR “*Schema Admins”|  rename _time AS Time member AS Username group AS Group caller AS "Action by" name AS "Description" host AS "DC" Security_ID AS "Initiator Details" | convert timeformat="%m/%d/%Y %H:%M:%S %p" ctime(Time)

I am having a hard time figuring out why no information is being displayed through the top and fields command.

Re: Not getting any data

gnovak — Tue, 17 Jul 2012 16:22:07 GMT

Have you tried doing the search bit by bit? Where does it fail for you?

Re: Not getting any data

gnovak — Tue, 17 Jul 2012 16:30:06 GMT

| fields member, group, caller, name, host, Security_ID|

Try putting a space after Security_ID and the |

Does that do anything?

Re: Not getting any data

Ayn — Tue, 17 Jul 2012 16:37:09 GMT

top is a command that transforms the search results, so if it gets raw input, it will not pass on that raw input to the commands coming after it in the search pipeline. So, once you've run top field1 for instance, the information available to the rest of the commands will only be the results produced by top (values for field1, count and percent). So, when you run rename _time AS Time for instance, that doesn't make sense because at that stage in the search pipeline the _time field doesn't exist anymore.

Perhaps you could explain a bit more what you want to accomplish with your search?

Re: Not getting any data

Michael_Schyma1 — Tue, 17 Jul 2012 16:48:37 GMT

I just want to display all of the feilds, i do not even need the top function yet.

Re: Not getting any data

Michael_Schyma1 — Tue, 17 Jul 2012 16:49:33 GMT

at the top command

Re: Not getting any data

Ayn — Tue, 17 Jul 2012 16:50:07 GMT

Then why are you using it?

Re: Not getting any data

Michael_Schyma1 — Tue, 17 Jul 2012 16:50:58 GMT

because i was going to add it in eventually, but i cant even get the feilds to display

Re: Not getting any data

Ayn — Tue, 17 Jul 2012 16:52:24 GMT

Well perhaps remove it? 😛

Re: Not getting any data

Michael_Schyma1 — Tue, 17 Jul 2012 16:53:26 GMT

I did lol but i still dont see the fields displaying in my chart below the search

Re: Not getting any data

Ayn — Tue, 17 Jul 2012 16:57:12 GMT

What chart? What kind of output are you expecting? I don't see any charting commands in your search (besides top that I guess could count as a charting command)