Solved: Why am I not getting a result?

albinortiz · ‎03-23-2018

The following code is intended to do several things. First, I am looking for all the hosts that are producing winevents and counting them.

index=winevents | dedup host| stats count as Total

Next, I do an ldapsearch for all computers in AD that have a Windows OS.

| append [ldapsearch search="(objectClass=computer)" attrs="cn,operatingSystem,operatingSystemVersion"
| lookup dnslookup clienthost AS cn
| search (opeartingSystem="Win*")]

Finally, I count those Windows computers and calculate a percentage between the Total computers and the Windows Computers

| stats count as WindowsComputers | append [makeresults [eval var = Total/WindowsComputers)]] | table var

The variable var is not displaying the percentage or anything whatsoever. Any ideas? this is the full code:

index=winevents 
| dedup host
| stats count as Total
| append [ldapsearch search="(objectClass=computer)" attrs="cn,operatingSystem,operatingSystemVersion"
| lookup dnslookup clienthost AS cn
| search (opeartingSystem="Win*")]
| stats count as WindowsComputers 
| append [makeresults [eval var = Total/WindowsComputers)]] 
| table var

Thanks in advance!

tiagofbmm · ‎03-23-2018

Hey

First thing I'd change is the first query to index=winevents | stats dc(host) as Total

But coming to your issue, if your search is like this, after the makeresults you have a "[" and you must have a "|"

View solution in original post

tiagofbmm · ‎03-23-2018

Hey

First thing I'd change is the first query to index=winevents | stats dc(host) as Total

But coming to your issue, if your search is like this, after the makeresults you have a "[" and you must have a "|"

albinortiz · ‎03-23-2018

If I use index=winevents | stats dc(host) as Total, for some reason it won't bring the real amount.

I tried changing the syntax and nothing yet.

tiagofbmm · ‎03-23-2018

Can you try this by parts?

Is this returning events?

 index=winevents 
 | dedup host
 | stats count as Total

Is this returning events?

 index=winevents 
 | dedup host
 | stats count as Total

Is this returning events?

ldapsearch search="(objectClass=computer)" attrs="cn,operatingSystem,operatingSystemVersion"
 | lookup dnslookup clienthost AS cn
 | search (opeartingSystem="Win*")

And finally, have you changed to | append [ makeresults | eval var = Total/WindowsComputers) ] ??

Notice that | append [makeresults [eval var = Total/WindowsComputers)]] will never return results because it is a separate search that has no knowledge of the variables Total or WindowsComputers

albinortiz · ‎03-23-2018

@tiagofbmm Both queries return events. I use both on a different dashboard which works.

| append [ makeresults | eval var = Total/WindowsComputers) ] - No results found

tiagofbmm · ‎03-23-2018

Cool so as I told you, the last append has no knowledge of what the remaining things, mainly because the subsearches are run before the main search!

I believe what you need is this

 index=winevents 
 | dedup host
 | stats count as Total
 | appendcols [ldapsearch search="(objectClass=computer)" attrs="cn,operatingSystem,operatingSystemVersion"
 | lookup dnslookup clienthost AS cn
 | search (opeartingSystem="Win*")  | stats count as WindowsComputers ]
 | eval Percentage=Total/WindowsComputers

albinortiz · ‎03-23-2018

Still nothing man. It brings the Total but that's it.

tiagofbmm · ‎03-23-2018

This returns result?

| ldapsearch search="(objectClass=computer)" attrs="cn,operatingSystem,operatingSystemVersion"
  | lookup dnslookup clienthost AS cn
  | search (opeartingSystem="Win*")  | stats count as WindowsComputers

albinortiz · ‎03-23-2018

Yep. I have 900 computers in my network and it brings all 900

tiagofbmm · ‎03-23-2018

Hopefully not a stupid question at this time but... did you have the | in the ldapsearch?

tiagofbmm · ‎03-24-2018

Please let me know if the answer was useful for you. If it was, accept it and upvote. If not, give us more input so we can help you with that

albinortiz · ‎03-24-2018

I will get back to you Monday. Thanks!

albinortiz · ‎03-26-2018

I had the | in the ldapsearch but was missing the [.

Thanks for all the help!

albinortiz · ‎03-23-2018

Line 8 should read | append [makeresults [eval var = Total/WindowsComputers)*100,1]]

Why am I not getting a result?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?