Splunk Search

Help to Write the Custom Query

sumit29
Path Finder

Dear Experts,

I am creating the custom search in ES app ,

| tstats allow_old_summaries=true dc(Authentication.src) as "Source",dc(Authentication.user) as "User" from datamodel=Authentication where nodename=Authentication.Successful_Authentication by "Authentication.user","Authentication.src" | rename "Authentication.user" as "User","Authentication.src" as "Source" | Where User="x" AND Source!="a" AND Source!="b" AND Source!="c"

Result : Above query is not working as expected.

I have a User=x which can be authenticated from 3 source.

I need to create the alert if user login from other than this 3 source , I should get the alert . Kindly help to enhance the query.

Tags (1)
0 Karma
1 Solution

rphillips_splk
Splunk Employee
Splunk Employee

try backing out of your search and respond with where it is failing. For example take off:
| Where User="x" AND Source!="a" AND Source!="b" AND Source!="c"

what are the results of the search at that point? If it still fails take off more of the search so we can see what works and what doesn't.

as a first guess I would try replacing

| Where User="x" AND Source!="a" AND Source!="b" AND Source!="c"

with

| search User="x" Source!="a" OR Source!="b" OR Source!="c"

View solution in original post

0 Karma

rphillips_splk
Splunk Employee
Splunk Employee

try backing out of your search and respond with where it is failing. For example take off:
| Where User="x" AND Source!="a" AND Source!="b" AND Source!="c"

what are the results of the search at that point? If it still fails take off more of the search so we can see what works and what doesn't.

as a first guess I would try replacing

| Where User="x" AND Source!="a" AND Source!="b" AND Source!="c"

with

| search User="x" Source!="a" OR Source!="b" OR Source!="c"

0 Karma

woodcock
Esteemed Legend

Other than that Where should be where, your search looks fine to me (assuming, as @rphillips_splunk said, the stuff before where is OK)

0 Karma

woodcock
Esteemed Legend

The AND -> OR is definitely wrong.

0 Karma

sumit29
Path Finder

Thanks rphillips,

I haven't tried the query as its weekend .will try on Monday

@woodcock - can u extend ur help in writing the query .Thanks

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Laser Bananas and Edge Hubs: Exploring Operational Technology (OT) Data Through a ...

  OT is a different environment to traditional IT and can have interesting challenges when interfacing the ...

Event Series: Mastering AI Tokenomics and Splunk Agent Observability

Beyond the Black Box: Correlating AI Performance and Tokenomics with Splunk Agent Observability   As ...

span_metrics: The OpenTelemetry-Idiomatic Way to See Inside Your Services

You open a trace in Splunk Observability Cloud and everything looks fine. One root span, order-pipeline, with ...