Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Query / search string is not giving results

utkarsh
Explorer
‎04-22-2021 12:20 AM

Hello everyone,

I am getting event data inside my splunk.  I want to query data ( logins by country) on splunk search, I am using following search string :

index = onelogin eventtype = onelogin_event_user_logged_into_onelogin Country="United States" | rename ipaddr AS IP_ADDR | iplocation IP_ADDR | dedup id

but it is not returning me any results. Why it is so?

 

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

aasabatini
Motivator
‎04-22-2021 12:32 AM

Hi @utkarsh 

first try to check if you have event on  your index

index = onelogin

Also check your timerange  if you see any events.

after this check try to add eventtype

index = onelogin eventtype = onelogin_event_user_logged_into_onelogin Country="United States"

and check if your subset of data return

 

 

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”

View solution in original post

Reply
Solved! Jump to solution
Solution

aasabatini
Motivator
‎04-22-2021 12:32 AM

Hi @utkarsh 

first try to check if you have event on  your index

index = onelogin

Also check your timerange  if you see any events.

after this check try to add eventtype

index = onelogin eventtype = onelogin_event_user_logged_into_onelogin Country="United States"

and check if your subset of data return

 

 

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
Reply
Solved! Jump to solution

utkarsh
Explorer
‎04-22-2021 04:58 AM

Hi @aasabatini 

For the same search string if I remove the Country field it is giving me data. But I want to filter the data by country. FYI Country field is coming while I am using iplocation in my search string. Any Idea on this?

 

Tags (1)
0 Karma
Reply
Solved! Jump to solution

aasabatini
Motivator
‎04-22-2021 05:00 AM

Hi @utkarsh 

in this case try this:

index = onelogin eventtype = onelogin_event_user_logged_into_onelogin  | rename ipaddr AS IP_ADDR | iplocation IP_ADDR | search country="United States" | dedup id

 

the iplocation lookup enrich your data with country field only when you use the iplocation comand and you need to put the condition after that comand.

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
0 Karma
Reply
Solved! Jump to solution

utkarsh
Explorer
‎04-22-2021 05:42 AM

It works !!  Thanx for the help

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...