Splunk Search

Create a search or subsearch to retun 0 results


Hello All,

Thanks for a great resource for Splunk and searches

I am using the linux_secure sourcetype.

I have a search that returns a value if a field (src) is longer than 1

if src is longer than 1 a user has logged in to a host from a "remote" host, aka a host without a splunk universal

forwarder installed.

When the user logs of the host with a forwarder, I want my base search to return 0 results, or make the table disappear (using Dashboard Studio). I detect the ssh_open or ssh_close in this search.

Here is the search I am working with:

sourcetype=linux_secure user=*
| eval Date=strftime(_time, "%Y-%m-%d %H:%M:%S")
| rex "(?P<Status>(?<=session)\s\w+)"
| eval Action=case(Status=" opened","Online",Status=" closed","Off")
| eval Action=if(len(src)>1,"Login from Remote",Action)
| eval Action=if(len(src)=0,"Logged Off",Action)| sort - Date
| table Date, host,src,Action

My time range is 15 min. In a nutshell, I want "Remote" to show when src is there, and then zero results when the "Off" Action or the src length is 0, etc.


Any suggestions will help,

Thank you very much,





Labels (3)
Tags (3)
0 Karma


You didn't say whether you get the results you wanted with the sample code or, if there is result, why the actual result does not meet your need. (And what is the expected output.   Taking a blind shot, I do see somme problem in the code - if you reassign a variable (field), the end result will be the last assigned value.  A second problem could be the use of "if a field (src) is longer than 1" as a criterium.  What is the value of src if the user logs in from a server with a universal forwarder?

Regardless, the answer to not show a record seems to be just a where away.

sourcetype=linux_secure user=*
| eval Date=strftime(_time, "%Y-%m-%d %H:%M:%S")
| rex "(?P<Status>(?<=session)\s\w+)" ``` not sure why you want to include a space in Status but let's go with it ```
| where len(src) > 0 ``` assume len is the correct criterium ``` AND Status == " opened"
| sort - Date
| eval Action = "Login from Remote" ```  there is no other value after filter ```
| table Date, host,src,Action
Tags (1)
0 Karma
Get Updates on the Splunk Community!

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

 Clayton Homes faced the increased challenge of strengthening their security posture as they went through ...

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

We’re happy to announce the release of Mission Control 2.3 which includes several new and exciting features ...

Cloud Platform | Migrating your Splunk Cloud deployment to Python 3.7

Python 2.7, the last release of Python 2, reached End of Life back on January 1, 2020. As part of our larger ...