Archive

multisearch

Explorer

Dear,

couple hours i am trying to get:
i have one log with no similar way of words in one line... because of that i cannot get in one search what i need.
This two searches get what i need:
index=ise "authentication failed" "Administrator-Login"
index=ise "authentication failed" "UserName"
Now i want this two query to join in one and get results which admin login and user login have authentication failed...

thank you

0 Karma

Explorer

succeeded with:
index=ise ("authentication failed" "Administrator-Login") OR ("authentication failed" "UserName")
| stats count by UserName
| append
[search index=ise ("authentication failed" "Administrator-Login") OR ("authentication failed" "UserName")
| stats count by AdminName]

0 Karma

Super Champion

can you try-

index=ise  ("authentication failed" "Administrator-Login") OR ("authentication failed" "UserName")
0 Karma

Explorer

seems that`s what i need, how now to sort it by count?

0 Karma

Super Champion

try below-

...|sort 0 - count
0 Karma

Explorer

yes that and make it like table, to visualize instead to show logs?

0 Karma

Explorer

Use the

| table 

to create a table of any fields you are interested in, the results from the search should provide interesting fields on the left of the search panel, then use

| sort
0 Karma

Explorer

nope, whatever i done, cannot get it...
what about multisearch?

0 Karma

Explorer

hm, seems this is fine:
index=ise ("authentication failed" "Administrator-Login") OR ("authentication failed" "UserName")
| table AdminName UserName
| sort 0 - count

now i need instead couple same usernames in list, to be just counted, not repeated ...

0 Karma

Super Champion

if you want to count by UserName and AdminName
then try-

...|stats count by UserName AdminName
0 Karma

Explorer

with that 0 score.
With only "stats count by UserName" i see all except admin accounts...
so now, i need only more to show/include admin count..

0 Karma

Explorer

which seems impossible and because of that i want to try multi search option?
but never used...

0 Karma

Super Champion

which query did you tried? what is your sample output till now and what output you are expecting?

0 Karma

Super Champion

to show in tabular format use table command and then specify your field names-

...|table fieldname

OR

...|table *
0 Karma

SplunkTrust
SplunkTrust

How about this?

index=ise "authentication failed" ("Administrator-Login" OR "UserName")
---
If this reply helps you, an upvote would be appreciated.
0 Karma

Explorer

in that query, i don`t see administrator logins... 😕

0 Karma

Explorer

Can you try something like this?

index=ise authentication="failed" Administrator="Login"
| table UserName

I suggest adding a sourcetype to the search as well in the future.

0 Karma

Explorer

this cannot be done, because logs are like syslog, and cannot search by that fields .. 😞

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!