Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Create a search or subsearch to retun 0 results

eholz1
Builder
‎12-19-2022 09:48 AM

Hello All,

Thanks for a great resource for Splunk and searches

I am using the linux_secure sourcetype.

I have a search that returns a value if a field (src) is longer than 1

if src is longer than 1 a user has logged in to a host from a "remote" host, aka a host without a splunk universal

forwarder installed.

When the user logs of the host with a forwarder, I want my base search to return 0 results, or make the table disappear (using Dashboard Studio). I detect the ssh_open or ssh_close in this search.

Here is the search I am working with:

sourcetype=linux_secure user=*
| eval Date=strftime(_time, "%Y-%m-%d %H:%M:%S")
| rex "(?P<Status>(?<=session)\s\w+)"
| eval Action=case(Status=" opened","Online",Status=" closed","Off")
| eval Action=if(len(src)>1,"Login from Remote",Action)
| eval Action=if(len(src)=0,"Logged Off",Action)| sort - Date
| table Date, host,src,Action

My time range is 15 min. In a nutshell, I want "Remote" to show when src is there, and then zero results when the "Off" Action or the src length is 0, etc.

 

Any suggestions will help,

Thank you very much,

eholz1

 

 

 

Labels (3)
Labels
Tags (3)
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎12-19-2022 11:01 AM

You didn't say whether you get the results you wanted with the sample code or, if there is result, why the actual result does not meet your need. (And what is the expected output.   Taking a blind shot, I do see somme problem in the code - if you reassign a variable (field), the end result will be the last assigned value.  A second problem could be the use of "if a field (src) is longer than 1" as a criterium.  What is the value of src if the user logs in from a server with a universal forwarder?

Regardless, the answer to not show a record seems to be just a where away.

sourcetype=linux_secure user=*
| eval Date=strftime(_time, "%Y-%m-%d %H:%M:%S")
| rex "(?P<Status>(?<=session)\s\w+)" ``` not sure why you want to include a space in Status but let's go with it ```
| where len(src) > 0 ``` assume len is the correct criterium ``` AND Status == " opened"
| sort - Date
| eval Action = "Login from Remote" ```  there is no other value after filter ```
| table Date, host,src,Action
Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

CX Day is Coming!

Customer Experience (CX) Day is on October 7th!! We're so excited to bring back another day full of wonderful ...

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

The Big One: Splunk 10 is Here!  The moment many of you have been waiting for has arrived! We are thrilled to ...

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Today, we’re excited to announce the release of a brand new AI assistant usage dashboard in Cloud Monitoring ...