Solved: How to use action="blocked" on search bar ?

Nasser · ‎02-02-2023

I have file.csv and I want to do an action, action="blocked" but it appears to me there is no result after searching so is there any a way to help me? Screenshot 2023-02-02 192507.png

gcusello · ‎02-02-2023

Hi @Nasser,

booleans operators must be used in UPPERCASE, in addition the AND operator is mandatory only in eval.

This means that you're searching using as additional conditions: action="blocked" and the word "and".

Ciao.

Giuseppe

View solution in original post

ghaidaqader · ‎01-25-2024

Hi Nasser I am taking the same course I tried multiple queries nothing worked can you help me

source="3--المصدر-الداعم-الثالثسجل-الملفات.csv" host="Ghaidas-MBP" index="main" sourcetype="stc_logs" action="blocked"

I used this Query as well to count action

source="3--المصدر-الداعم-الثالثسجل-الملفات.csv" host="Ghaidas-MBP" index="main" sourcetype="stc_logs" | stats count by action

but neither queries have yielded any results

Nasser · ‎02-04-2024

try this

booleans operators must be used in UPPERCASE, in addition the AND operator is mandatory only in eval.

This means that you're searching using as additional conditions: action="blocked" and the word "and".

Ciao.

abdullahR · ‎07-13-2023

hello Nasser can you help me on this?

Nasser · ‎02-02-2023

Thanks a lot it helped me

gcusello · ‎02-02-2023

Hi @Nasser,

booleans operators must be used in UPPERCASE, in addition the AND operator is mandatory only in eval.

This means that you're searching using as additional conditions: action="blocked" and the word "and".

Ciao.

Giuseppe

How to use action="blocked" on search bar ?

Other

Unleash Unified Security and Observability with Splunk Cloud Platform

Splunk AppDynamics with Cisco Secure Application

New Splunk Innovations Enhance Performance and Accelerate Troubleshooting