Splunk Search

How do I find missing information from query 2 and query 1

benj851
Explorer

I am trying to find missing stores from query 2 in the below script. However, it returns no results, or all results depending on the search. For the purposes of my search, I know the correct result is one. Can you please assist me in my evaluations to get what I'm seeking? I've beeing trying this for days now.

host=s*0009 Type=Information EventCodeDescription="A new process has been created" New_Process_Name="D:\\Program\\Bin\\potato.exe" | dedup host | eval StoreCallEDW=substr(ComputerName,2,4) | search [ search index=mainframe host=MVSB* MFSOURCETYPE=SMF080 *CFT* DEFINE_RESOURCE="SUCCESSFUL_DEFINITION" | spath RESOURCE_NAME | search RESOURCE_NAME="EDWABP.V15.TLOG.DATA.*" | eval StoreonMainframe=substr(RESOURCE_NAME,29,4)] | table nodiff StoreEDWFile StoreonMainframe
Tags (1)
0 Karma

benj851
Explorer

I’ve tried using not before the sub query instead of the bool check at the end. It was also not successful

0 Karma

vishaltaneja070
Motivator

is it possible to get the small set of results of both queries?

0 Karma

benj851
Explorer
In this example I'm simply asking for results for each query but I get no results:

host=s008*0004 Type=Information EventCodeDescription="A new process has been created" New_Process_Name="D:\\program\\Bin\\potato.exe" | dedup host | eval StoreCallEDW=substr(ComputerName,2,4) | search [ search index=mainframe host=MVSB* MFSOURCETYPE=SMF080 *CFT* DEFINE_RESOURCE="SUCCESSFUL_DEFINITION" | spath RESOURCE_NAME | search RESOURCE_NAME="EDWABP.V15.TLOG.DATA.*" | eval StoreonMainframe=substr(RESOURCE_NAME,29,4)] |  table StoreEDWFile StoreonMainframe

Result:
No Results found

0 Karma

benj851
Explorer

Here is just the first query, the query that must have something in order for the subquery to possibly have something:

host=s008*0004 Type=Information EventCodeDescription="A new process has been created" New_Process_Name="D:\\Program\\Bin\\potato.exe" | dedup host | eval StoreCallEDW=substr(ComputerName,2,4) | table StoreCallEDW

Results are:

StoreCallEDW
0084
0086
0080

0 Karma

benj851
Explorer

This should return one result on StoreonMainframe; but the only results returned are for nodiff. When you view the results they are related to StoreCallEDW.
host=s008*0004 Type=Information EventCodeDescription="A new process has been created" New_Process_Name="D:\program\Bin\potato.exe" | dedup host | eval StoreCallEDW=substr(ComputerName,2,4) | sort StoreCallEDW |search NOT [ search index=mainframe host=MVSB* MFSOURCETYPE=SMF080 CFT DEFINE_RESOURCE="SUCCESSFUL_DEFINITION" | spath RESOURCE_NAME | search RESOURCE_NAME="EDWABP.V15.TLOG.DATA.*" | eval StoreonMainframe=substr(RESOURCE_NAME,29,4) | Sort StoreonMainframe] | eval nodiff=if(match(StoreCallEDW,StoreonMainframe), "True", "False")| table nodiff StoreEDWFile StoreonMainframe

Results:
nodiff StoreEDWFile StoreonMainframe
False

False

False

0 Karma

benj851
Explorer

Using NOT and a subsearch: No results are returned for the subsearch when there should be 1200+. Each query should return 1200+ results:

host=s02*0004 Type=Information EventCodeDescription="A new process has been created" New_Process_Name="D:\program\Bin\pototo.exe" | dedup host | eval StoreEDWFile=substr(ComputerName,2,4) | sort StoreEDWFile | search NOT [ search index=mainframe host=MVSB* MFSOURCETYPE=SMF080 CFT DEFINE_RESOURCE="SUCCESSFUL_DEFINITION" | spath RESOURCE_NAME | search RESOURCE_NAME="EDWABP.V15.TLOG.DATA.*" | eval StoreonMainframe=substr(RESOURCE_NAME,29,4)] | sort StoreonMainframe | table StoreEDWFile StoreonMainframe

returns only values for StoreEDWFile:

StoreEDWFile StoreonMainframe
0202

0203

0204

0205

This is a problem because StoreEDWFile is not in question. StoreonMainframe should have been missing

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...