Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Data Extraction in Search Form

twgtech
New Member
‎10-05-2010 05:50 PM

Here is what I have - 

2010-10-05T12:37:55-05:00 xxx.xxx.xxx.xxx [lpr.info] SERVERNAME: Scan ID: 1283612407,Begin: 2010-09-04 15:00:03,End: 2010-09-04,Completed,Duration (seconds): 196,User1: username,User2: username,"Scan started on selected drives and folders and all extensions.","Scan Complete: Risks: 0 Scanned: 1012 Files/Folders/Drives Omitted: 0",Command: Not a command scan (),Threats: 0,Infected: 0,Total files: 1012,Omitted: 0,Computer: computername,IP Address: xxx.xxx.xxx.xxx,Domain: domainname,Server: servername

I want to run a query where Risks, Threats, or Infected are greater than 0.

(Scan Complete:) AND (Risks: <0) OR (Threats: <0) OR (Infected: <0)

The problem I'm having is that I do not know how to get "<0" into the query.

Any assistance is much appreciated.

Tags (1)
0 Karma
Reply

twgtech
New Member
‎10-05-2010 06:29 PM

Yeah, I saw that after I posted. Total typo on my part.

0 Karma
Reply

Genti
Splunk Employee
Splunk Employee
‎10-05-2010 06:02 PM

also since you want greater then zero you want foo>0

0 Karma
Reply

Genti
Splunk Employee
Splunk Employee
‎10-05-2010 06:02 PM

Do these fields get extracted? Scan Complete, Risks, Threats, Infected? If yes you can try: Try: 

<your search> | WHERE Risks > 0 AND Infected > 0 ...etc..

If these fields do not get extracted then you can try something like: 

<your search> NOT ("Scan Complete:" OR "Risks: 0") ..etc...

Hope this helped.

0 Karma
Reply

Genti
Splunk Employee
Splunk Employee
‎10-05-2010 06:44 PM

Yay! 😉 - You're welcome!

0 Karma
Reply

twgtech
New Member
‎10-05-2010 06:16 PM

They do not get extracted, so using -

"Scan Complete:" NOT ("Risks: 0" OR "Threats: 0" OR "Infected: 0")

Gave me just what I was looking for.

Much appreciated, Genti.

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...
Top