Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Query / search string is not giving results

utkarsh
Explorer
‎04-22-2021 12:20 AM

Hello everyone,

I am getting event data inside my splunk.  I want to query data ( logins by country) on splunk search, I am using following search string :

index = onelogin eventtype = onelogin_event_user_logged_into_onelogin Country="United States" | rename ipaddr AS IP_ADDR | iplocation IP_ADDR | dedup id

but it is not returning me any results. Why it is so?

 

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

aasabatini
Motivator
‎04-22-2021 12:32 AM

Hi @utkarsh 

first try to check if you have event on  your index

index = onelogin

Also check your timerange  if you see any events.

after this check try to add eventtype

index = onelogin eventtype = onelogin_event_user_logged_into_onelogin Country="United States"

and check if your subset of data return

 

 

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”

View solution in original post

Reply
Solved! Jump to solution
Solution

aasabatini
Motivator
‎04-22-2021 12:32 AM

Hi @utkarsh 

first try to check if you have event on  your index

index = onelogin

Also check your timerange  if you see any events.

after this check try to add eventtype

index = onelogin eventtype = onelogin_event_user_logged_into_onelogin Country="United States"

and check if your subset of data return

 

 

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
Reply
Solved! Jump to solution

utkarsh
Explorer
‎04-22-2021 04:58 AM

Hi @aasabatini 

For the same search string if I remove the Country field it is giving me data. But I want to filter the data by country. FYI Country field is coming while I am using iplocation in my search string. Any Idea on this?

 

Tags (1)
0 Karma
Reply
Solved! Jump to solution

aasabatini
Motivator
‎04-22-2021 05:00 AM

Hi @utkarsh 

in this case try this:

index = onelogin eventtype = onelogin_event_user_logged_into_onelogin  | rename ipaddr AS IP_ADDR | iplocation IP_ADDR | search country="United States" | dedup id

 

the iplocation lookup enrich your data with country field only when you use the iplocation comand and you need to put the condition after that comand.

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
0 Karma
Reply
Solved! Jump to solution

utkarsh
Explorer
‎04-22-2021 05:42 AM

It works !!  Thanx for the help

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...