Dashboards & Visualizations

Can you help on 2 similar requests that don't have the same results?

jip31
Motivator

Hi

I use two requests that are almost the same.

First request :

eventtype=Flag OR eventtype=Model 
| rex "Model=(?<model>.*)" 
| stats values(model) as Model by host  
| stats dc(host) as host by Model 
| sort -model limit=5

This request doesn't return values because the eventtype=flag,which corresponds to index="windows-fr" sourcetype="tools:flags" filename="TOTO*" is not respected

Second request

   eventtype=Flag OR eventtype=NATCO
    | eval NATCO=if(key_path="\\registry\\machine\\software\\wow6432node\\xx\\master\\ConfigurationCountry",data, null)
    | stats values(NATCO) as NATCO by host 
    | stats dc(host) as host by NATCO | sort -NATCO limit=5

I have a value for these request even if I also use the eventtype=Flag

Normally it should be also empty

what is the problem please?

Tags (1)
0 Karma

woodcock
Esteemed Legend

Try this instead for your first search (which has several mistakes):

index=* AND (eventtype=Flag OR eventtype=Model)
| rex "Model=(?<model>.*)" 
| eval model=coalesce(model, "WAS_NULL")
| stats dc(host) AS host by Model 
| sort 5 -Model
0 Karma

raphgoncalves
Explorer

eventtype=Flag OR eventtype=NATCO

If eventtype=NATCO returns events, it should be normal that you have some results, shouldn't it ?

0 Karma

jip31
Motivator

NO
eventtype returns also results but
the stats(values) is used for doing a match between the two eventtype
So if eventtype= Flag is KO i have to have no results in others eventtype

0 Karma

andreacorvini
Path Finder

In the second query if you use only "eventtype=NATCO" (instead of "eventtype=Flag OR eventtype=NATCO") do you have the same result?

0 Karma

jip31
Motivator

Yes I have the same result

0 Karma

jip31
Motivator

in fact I want to have a result if the condition mentionned in eventtype=Flag
(index="windows-fr" sourcetype="tools:flags" filename="TOTO*)" is OK
If the condition is KO I dont want results

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...