Splunk Enterprise

Query / search string is not giving results

utkarsh
Explorer

Hello everyone,

I am getting event data inside my splunk.  I want to query data ( logins by country) on splunk search, I am using following search string :

index = onelogin eventtype = onelogin_event_user_logged_into_onelogin Country="United States" | rename ipaddr AS IP_ADDR | iplocation IP_ADDR | dedup id

but it is not returning me any results. Why it is so?

 

 

Labels (1)
Tags (1)
0 Karma
1 Solution

aasabatini
Builder

Hi @utkarsh 

first try to check if you have event on  your index

index = onelogin 

Also check your timerange  if you see any events.

after this check try to add eventtype

index = onelogin eventtype = onelogin_event_user_logged_into_onelogin Country="United States" 

and check if your subset of data return

 

 

View solution in original post

aasabatini
Builder

Hi @utkarsh 

first try to check if you have event on  your index

index = onelogin 

Also check your timerange  if you see any events.

after this check try to add eventtype

index = onelogin eventtype = onelogin_event_user_logged_into_onelogin Country="United States" 

and check if your subset of data return

 

 

View solution in original post

utkarsh
Explorer

Hi @aasabatini 

For the same search string if I remove the Country field it is giving me data. But I want to filter the data by country. FYI Country field is coming while I am using iplocation in my search string. Any Idea on this?

 

Tags (1)
0 Karma

aasabatini
Builder

Hi @utkarsh 

in this case try this:

index = onelogin eventtype = onelogin_event_user_logged_into_onelogin  | rename ipaddr AS IP_ADDR | iplocation IP_ADDR | search country="United States" | dedup id

 

the iplocation lookup enrich your data with country field only when you use the iplocation comand and you need to put the condition after that comand.

0 Karma

utkarsh
Explorer

It works !!  Thanx for the help

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!