Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Data Extraction in Search Form

twgtech
New Member
‎10-05-2010 05:50 PM

Here is what I have - 

2010-10-05T12:37:55-05:00 xxx.xxx.xxx.xxx [lpr.info] SERVERNAME: Scan ID: 1283612407,Begin: 2010-09-04 15:00:03,End: 2010-09-04,Completed,Duration (seconds): 196,User1: username,User2: username,"Scan started on selected drives and folders and all extensions.","Scan Complete: Risks: 0 Scanned: 1012 Files/Folders/Drives Omitted: 0",Command: Not a command scan (),Threats: 0,Infected: 0,Total files: 1012,Omitted: 0,Computer: computername,IP Address: xxx.xxx.xxx.xxx,Domain: domainname,Server: servername

I want to run a query where Risks, Threats, or Infected are greater than 0.

(Scan Complete:) AND (Risks: <0) OR (Threats: <0) OR (Infected: <0)

The problem I'm having is that I do not know how to get "<0" into the query.

Any assistance is much appreciated.

Tags (1)
0 Karma
Reply

twgtech
New Member
‎10-05-2010 06:29 PM

Yeah, I saw that after I posted. Total typo on my part.

0 Karma
Reply

Genti
Splunk Employee
Splunk Employee
‎10-05-2010 06:02 PM

also since you want greater then zero you want foo>0

0 Karma
Reply

Genti
Splunk Employee
Splunk Employee
‎10-05-2010 06:02 PM

Do these fields get extracted? Scan Complete, Risks, Threats, Infected? If yes you can try: Try: 

<your search> | WHERE Risks > 0 AND Infected > 0 ...etc..

If these fields do not get extracted then you can try something like: 

<your search> NOT ("Scan Complete:" OR "Risks: 0") ..etc...

Hope this helped.

0 Karma
Reply

Genti
Splunk Employee
Splunk Employee
‎10-05-2010 06:44 PM

Yay! 😉 - You're welcome!

0 Karma
Reply

twgtech
New Member
‎10-05-2010 06:16 PM

They do not get extracted, so using -

"Scan Complete:" NOT ("Risks: 0" OR "Threats: 0" OR "Infected: 0")

Gave me just what I was looking for.

Much appreciated, Genti.

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...