Splunk Search

multisearch

vmicovic2
Explorer

Dear,

couple hours i am trying to get:
i have one log with no similar way of words in one line... because of that i cannot get in one search what i need.
This two searches get what i need:
index=ise "authentication failed" "Administrator-Login"
index=ise "authentication failed" "UserName"
Now i want this two query to join in one and get results which admin login and user login have authentication failed...

thank you

0 Karma

vmicovic2
Explorer

succeeded with:
index=ise ("authentication failed" "Administrator-Login") OR ("authentication failed" "UserName")
| stats count by UserName
| append
[search index=ise ("authentication failed" "Administrator-Login") OR ("authentication failed" "UserName")
| stats count by AdminName]

0 Karma

493669
Super Champion

can you try-

index=ise  ("authentication failed" "Administrator-Login") OR ("authentication failed" "UserName")
0 Karma

vmicovic2
Explorer

seems that`s what i need, how now to sort it by count?

0 Karma

493669
Super Champion

try below-

...|sort 0 - count
0 Karma

vmicovic2
Explorer

yes that and make it like table, to visualize instead to show logs?

0 Karma

wedge22
Explorer

Use the

| table 

to create a table of any fields you are interested in, the results from the search should provide interesting fields on the left of the search panel, then use

| sort
0 Karma

vmicovic2
Explorer

nope, whatever i done, cannot get it...
what about multisearch?

0 Karma

vmicovic2
Explorer

hm, seems this is fine:
index=ise ("authentication failed" "Administrator-Login") OR ("authentication failed" "UserName")
| table AdminName UserName
| sort 0 - count

now i need instead couple same usernames in list, to be just counted, not repeated ...

0 Karma

493669
Super Champion

if you want to count by UserName and AdminName
then try-

...|stats count by UserName AdminName
0 Karma

vmicovic2
Explorer

with that 0 score.
With only "stats count by UserName" i see all except admin accounts...
so now, i need only more to show/include admin count..

0 Karma

vmicovic2
Explorer

which seems impossible and because of that i want to try multi search option?
but never used...

0 Karma

493669
Super Champion

which query did you tried? what is your sample output till now and what output you are expecting?

0 Karma

493669
Super Champion

to show in tabular format use table command and then specify your field names-

...|table fieldname

OR

...|table *
0 Karma

richgalloway
SplunkTrust
SplunkTrust

How about this?

index=ise "authentication failed" ("Administrator-Login" OR "UserName")
---
If this reply helps you, Karma would be appreciated.
0 Karma

vmicovic2
Explorer

in that query, i don`t see administrator logins... 😕

0 Karma

wedge22
Explorer

Can you try something like this?

index=ise authentication="failed" Administrator="Login"
| table UserName

I suggest adding a sourcetype to the search as well in the future.

0 Karma

vmicovic2
Explorer

this cannot be done, because logs are like syslog, and cannot search by that fields .. 😞

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...