Hello everyone,
I am getting event data inside my splunk. I want to query data ( logins by country) on splunk search, I am using following search string :
index = onelogin eventtype = onelogin_event_user_logged_into_onelogin Country="United States" | rename ipaddr AS IP_ADDR | iplocation IP_ADDR | dedup id
but it is not returning me any results. Why it is so?
Hi @utkarsh
first try to check if you have event on your index
index = onelogin
Also check your timerange if you see any events.
after this check try to add eventtype
index = onelogin eventtype = onelogin_event_user_logged_into_onelogin Country="United States"
and check if your subset of data return
Hi @utkarsh
first try to check if you have event on your index
index = onelogin
Also check your timerange if you see any events.
after this check try to add eventtype
index = onelogin eventtype = onelogin_event_user_logged_into_onelogin Country="United States"
and check if your subset of data return
Hi @aasabatini
For the same search string if I remove the Country field it is giving me data. But I want to filter the data by country. FYI Country field is coming while I am using iplocation in my search string. Any Idea on this?
Hi @utkarsh
in this case try this:
index = onelogin eventtype = onelogin_event_user_logged_into_onelogin | rename ipaddr AS IP_ADDR | iplocation IP_ADDR | search country="United States" | dedup id
the iplocation lookup enrich your data with country field only when you use the iplocation comand and you need to put the condition after that comand.
It works !! Thanx for the help