Splunk Enterprise

Query / search string is not giving results

utkarsh
Explorer

Hello everyone,

I am getting event data inside my splunk.  I want to query data ( logins by country) on splunk search, I am using following search string :

index = onelogin eventtype = onelogin_event_user_logged_into_onelogin Country="United States" | rename ipaddr AS IP_ADDR | iplocation IP_ADDR | dedup id

but it is not returning me any results. Why it is so?

 

 

Labels (1)
Tags (1)
0 Karma
1 Solution

aasabatini
Motivator

Hi @utkarsh 

first try to check if you have event on  your index

index = onelogin 

Also check your timerange  if you see any events.

after this check try to add eventtype

index = onelogin eventtype = onelogin_event_user_logged_into_onelogin Country="United States" 

and check if your subset of data return

 

 

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”

View solution in original post

aasabatini
Motivator

Hi @utkarsh 

first try to check if you have event on  your index

index = onelogin 

Also check your timerange  if you see any events.

after this check try to add eventtype

index = onelogin eventtype = onelogin_event_user_logged_into_onelogin Country="United States" 

and check if your subset of data return

 

 

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”

utkarsh
Explorer

Hi @aasabatini 

For the same search string if I remove the Country field it is giving me data. But I want to filter the data by country. FYI Country field is coming while I am using iplocation in my search string. Any Idea on this?

 

Tags (1)
0 Karma

aasabatini
Motivator

Hi @utkarsh 

in this case try this:

index = onelogin eventtype = onelogin_event_user_logged_into_onelogin  | rename ipaddr AS IP_ADDR | iplocation IP_ADDR | search country="United States" | dedup id

 

the iplocation lookup enrich your data with country field only when you use the iplocation comand and you need to put the condition after that comand.

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
0 Karma

utkarsh
Explorer

It works !!  Thanx for the help

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...