Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Can you help me with my splunk search?

smp8644
Loves-to-Learn
‎06-20-2024 01:28 PM

I am trying to write a splunk search to pull what rules a particular user is hitting. This search is helping with that BUT everything is coming through as a urlrulelabel. When I move apprulelabel to the start of the line, everything comes through as an apprulelabel.

When I dive into the events, I see there are other rules showing, but they arent populating in the statistics table.

I would like to have each rule come through as its own. 


index=zscaler sourcetype=zscalernss-web user=*

| eval rule_type=case(isnotnull(urlrulelabel), "urlurlelabel", isnotnull(apprulelabel), "apprulelabel", isnotnull(rulelabel), "rulelabel", true(), "unknown")
| eval rule=coalesce(apprulelabel, urlrulelabel, rulelabel)
| stats count by rule, rule_type
| rename rule as Rule, rule_type as "Type of Rule", count as "Hit Count"
| sort - "Hit Count"



Thank you in advance

Labels (2)
Labels
0 Karma
Reply

smp8644
Loves-to-Learn
‎06-21-2024 11:21 AM

smp8644_0-1718994022742.png

Here is a picture of my results. Hoping to get some help into having the second column populate urlrulelabel, apprulelabel, and rulelabel policies rather than just one.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎06-22-2024 02:24 AM

As @yuanliu says, you will have a much better chance of getting a useful answer if you follow some simple guidelines.

It is not possible to tell from what you have posted so far what your events actually look like (or a close anonymised representation of them), nor what it is you are trying to determine from your search.

For example, do all the rule fields have either "None" or a rule name in? If so, isnotnull() will always return true, hence all your rules are coming through as "urlurlelabel" (should this be "urlrulelabel"?)

Can there be more than one rule label you are interested in for an event or does apprulelabel always take presidence, even if it is "None", which is what your search is doing, hence the high count for "None"?

Please provide more relevant information (if you would like more help).

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎06-20-2024 10:31 PM

You'll have a much better chance of getting real help if you really follow this formula for an answerable question:

  • Illustrate data input (in raw text, anonymize as needed), whether they are raw events or output from a search that volunteers here do not have to look at.
  • Illustrate the desired output from illustrated data.
  • Explain the logic between illustrated data and desired output WITHOUT SPL.
  • If you also illustrate attempted SPL, illustrate actual output and compare with desired output, explain why they look different to you if that is not painfully obvious.
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing a Smarter Way to Discover Apps on Splunkbase

We’re excited to announce the launch of a foundational enhancement to Splunkbase: App Tiering. Because we’ve ...

How to Send Splunk Observability Alerts to Webex teams in Minutes

As a Developer Evangelist at Splunk, my team and I are constantly tinkering with technology to explore its ...

.conf25 Registration is OPEN!

Ready. Set. Splunk! Your favorite Splunk user event is back and better than ever. Get ready for more technical ...