Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Help to Write the Custom Query

sumit29
Path Finder
‎05-22-2015 05:29 AM

Dear Experts,

I am creating the custom search in ES app ,

| tstats allow_old_summaries=true dc(Authentication.src) as "Source",dc(Authentication.user) as "User" from datamodel=Authentication where nodename=Authentication.Successful_Authentication by "Authentication.user","Authentication.src" | rename "Authentication.user" as "User","Authentication.src" as "Source" | Where User="x" AND Source!="a" AND Source!="b" AND Source!="c"

Result : Above query is not working as expected.

I have a User=x which can be authenticated from 3 source.

I need to create the alert if user login from other than this 3 source , I should get the alert . Kindly help to enhance the query.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rphillips_splk
Splunk Employee
Splunk Employee
‎05-22-2015 10:07 AM

try backing out of your search and respond with where it is failing. For example take off:
| Where User="x" AND Source!="a" AND Source!="b" AND Source!="c"

what are the results of the search at that point? If it still fails take off more of the search so we can see what works and what doesn't.

as a first guess I would try replacing

| Where User="x" AND Source!="a" AND Source!="b" AND Source!="c"

with

| search User="x" Source!="a" OR Source!="b" OR Source!="c"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

rphillips_splk
Splunk Employee
Splunk Employee
‎05-22-2015 10:07 AM

try backing out of your search and respond with where it is failing. For example take off:
| Where User="x" AND Source!="a" AND Source!="b" AND Source!="c"

what are the results of the search at that point? If it still fails take off more of the search so we can see what works and what doesn't.

as a first guess I would try replacing

| Where User="x" AND Source!="a" AND Source!="b" AND Source!="c"

with

| search User="x" Source!="a" OR Source!="b" OR Source!="c"

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎05-23-2015 09:57 PM

Other than that Where should be where, your search looks fine to me (assuming, as @rphillips_splunk said, the stuff before where is OK)

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎05-23-2015 09:16 PM

The AND -> OR is definitely wrong.

0 Karma
Reply
Solved! Jump to solution

sumit29
Path Finder
‎05-23-2015 09:27 PM

Thanks rphillips,

I haven't tried the query as its weekend .will try on Monday

@woodcock - can u extend ur help in writing the query .Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...