Knowledge Management
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

data models deliver wrong values

denis_roehr
Explorer
‎03-10-2016 06:47 AM

Hi,

I deal with data models for a couple of days and i have trouble with different values.
My query delivers the value "3252" for all active users. 

index=msad admonEventType!=Schema admonEventType!=Start sourcetype=ActiveDirectory  | dedup objectGUID |  regex objectClass="(?i)\|user$"  |  search (userAccountControl="512" OR userAccountControl="66048" OR userAccountControl="66080") | search admonEventType!="Deleted" | stats count

The data model with pivot returns "3312" active Users?! 

| pivot ROOT AD_Object_Management splitrow objectGUID splitrow userAccountControl splitrow admonEventType splitrow objectClass  | dedup objectGUID | regex objectClass="(?i)\|user$" | search (userAccountControl="512" OR userAccountControl="66048" OR userAccountControl="66080") | stats count(objectGUID)

AD_Object_Management contains only this:

index=msad admonEventType!=Schema admonEventType!=Start sourcetype=ActiveDirectory

what do I make wrong?

Thanks

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

denis_roehr
Explorer
‎03-15-2016 12:22 AM

I have found a solution. The data models have a problem with the deduplication of the GUIDs. I have tried out different things and have reached the following knowledge. Root Events do not seem to be suitable for such queries.

| pivot model splitrow objectGUID | dedup objectGUID    or    | pivot model splitrow objectGUID | stats latest(*) AS * by objectGUID    or    | pivot model splitrow objectGUID | stats first(*) AS * by objectGUID

Different admonEventTypes in active directory (Sync, Update, Deleted, Start, Schema). The deduplication of the objectGUID does not process these dependences correctly, because deleted objects are nevertheless displayed in the result.
I have added a Root Search to data model and now we have the correctly results.

here my is my root search code:

index=msad sourcetype=ActiveDirectory | regex objectClass="(?i)\|user$" | stats latest(*) AS * by objectGUID | search admonEventType!=Deleted

Now only the last admonEventTypes per objectGUID is in the result.

Thanks

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

denis_roehr
Explorer
‎03-15-2016 12:22 AM

I have found a solution. The data models have a problem with the deduplication of the GUIDs. I have tried out different things and have reached the following knowledge. Root Events do not seem to be suitable for such queries.

| pivot model splitrow objectGUID | dedup objectGUID    or    | pivot model splitrow objectGUID | stats latest(*) AS * by objectGUID    or    | pivot model splitrow objectGUID | stats first(*) AS * by objectGUID

Different admonEventTypes in active directory (Sync, Update, Deleted, Start, Schema). The deduplication of the objectGUID does not process these dependences correctly, because deleted objects are nevertheless displayed in the result.
I have added a Root Search to data model and now we have the correctly results.

here my is my root search code:

index=msad sourcetype=ActiveDirectory | regex objectClass="(?i)\|user$" | stats latest(*) AS * by objectGUID | search admonEventType!=Deleted

Now only the last admonEventTypes per objectGUID is in the result.

Thanks

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎03-10-2016 02:51 PM

Your non-pivot query has an extra search admonEventType!="Deleted", that might drop those 60 users?

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎03-11-2016 03:34 PM

There's also a difference of stats count vs stats count(objectGUID).

0 Karma
Reply
Solved! Jump to solution

denis_roehr
Explorer
‎03-14-2016 12:21 AM

excuse the delayed answer. I will test this and the results item sometime.

0 Karma
Reply
Solved! Jump to solution

denis_roehr
Explorer
‎03-11-2016 01:11 AM

Thanks but...

The search search admonEventType!="Deleted" has no effect on the return value .

0 Karma
Reply
Solved! Jump to solution

denis_roehr
Explorer
‎03-10-2016 10:24 PM

Thank you for your remark.
this attribute the difference remains like whether with or without. Gives unusual features still question it at pivot?

0 Karma
Reply
Get Updates on the Splunk Community!

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

At Cisco, purpose isn’t a tagline—it’s a commitment. Cisco’s FY25 Purpose Report outlines how the company is ...

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join us for a live Demo Day at the Cisco Store on January 21st 10:00am - 11:00am PST In the fast-paced world ...