Error in User input for dashboard to check a speci...

codywsj · ‎06-30-2020

Hi, i am having an error of getting this user input for a drop-down to work where i am unable to find any errors within my code. Can somebody help me for this error?

This is the error i am getting.

This is my search query

(sourcetype="windows event logs" OR sourcetype="General-linux-sql.log" OR sourcetype="csv")
| eval spec_IP=case ([|search sourcetype="General-linux-sql.log"],
[| rex field=_raw "\[(?<IP_addr>\d+.\d+.\d+.\d+)\]"],
[| search sourcetype="csv"],
[| rex field=_raw ",(?<src_ip>\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}),\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3},,,"],
[| search sourcetype="windows event logs"],
[| search *"Account Locked"*
| rex field=_raw "\[(?<acc_ip>\d+.\d+.\d+.\d+)\]"]
)
| stats count by Specific_IP

richgalloway · ‎06-30-2020

That error can happen if one or more of the subsearches returns no results. Check each subsearch to make sure it works by itself - I am suspicious of the "| rex ... " subsearches. Remember that subsearches execute before the main search so they must be valid stand-alone searches.

---
If this reply helps you, Karma would be appreciated.

Error in User input for dashboard to check a specific IP

drilldown

form

other

token

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!