Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search seems to contain incompatible fields

jerbo77
Explorer
‎10-20-2020 01:26 PM

Good day all,
This is my first post so please bear with me
I am working on a search for the Netskope CASB product

 

 

index=test user=johndoe
|stats count by app, activity, action, alert_name, alert_type, site, _time
|sort _time

 

 

My search seems to contain incompatible fields, action=allow and fields alert_name, alert_type,
for the "action" field the values will be either ( allow, block, alert )

the allow action will never have an "alert_name" or "alert_type" associated with it but I need to see those values for when the action is "alert" or "block"
With my current search above I only see action=block & action=alert never any action=allow

I want to be able to see action=allow and if action=block i want to see "alert_name", "alert_type",
if action=allow then "alert_name", "alert_type" will have empty values

I am really hoping I made sense here 🙂

Thanks and have a great day!

😉

Labels (1)
Labels
Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

jerbo77
Explorer
‎10-21-2020 07:59 AM

Thank you.

I tried the below search

 

index=test user=johndoe* action=*
|fillnull  alert_type, alert_name value="N/A"
|stats count by app, activity, action, alert_name, alert_type, site, _time
|sort _time

 

 

I tried shifting the fillnull around to no effect. On the events page I see the allows but in the statistics it is still not showing up. see attached images. it is a bit baffling to me

Thanks!

View solution in original post

Preview file
184 KB
0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-20-2020 02:43 PM 
| fillnull value="N/A" alert_type alert_name
Reply
Solved! Jump to solution
Solution

jerbo77
Explorer
‎10-21-2020 07:59 AM

Thank you.

I tried the below search

 

index=test user=johndoe* action=*
|fillnull  alert_type, alert_name value="N/A"
|stats count by app, activity, action, alert_name, alert_type, site, _time
|sort _time

 

 

I tried shifting the fillnull around to no effect. On the events page I see the allows but in the statistics it is still not showing up. see attached images. it is a bit baffling to me

Thanks!

Preview file
184 KB
0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-21-2020 08:24 AM

Your image only shows the first 3 columns. What is to the right? Also, you are showing that there are 3 values for alert_type and alert_name. What values do you have there?

0 Karma
Reply
Solved! Jump to solution

jerbo77
Explorer
‎10-21-2020 08:58 AM

There are six alert_type values so far and numerous alert_name values

Thanks!

Preview file
131 KB
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...