Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Community
- :
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Need Help With Simple NOT Search
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
andrewkenth
Communicator
12-11-2013
09:50 AM
I can't beleive I'm coming to Answers to ask this as I've done it many times before but I must be missing something that I'm hoping you can help me find.
I have a list of events by user and date and I want to show any of those user/date combiation not in the list of user date combinations below:
List of Events with Users (and Date)
index=charlesriver (sourcetype=SQLAPP_Events OR sourcetype=SQLRPT_Events) "Login succeeded for user " | bucket span=1d _time | stats count first(_time) as Date by _time, SqlServerLogon | rename SqlServerLogon as UserName
List of Allowed Users (and Date)
index=charlesriver (sourcetype=SqlServer_AppDB_Users OR sourcetype=SqlServer_RptDB_Users) | bucket span=1d _time | stats count first(_time) as Date by _time, UserName | table Date, UserName
index=charlesriver (sourcetype=SQLAPP_Events OR sourcetype=SQLRPT_Events) "Login succeeded for user " | bucket span=1d _time | stats count first(_time) as Date by _time, SqlServerLogon | rename SqlServerLogon as UserName
| search NOT [ search
index=charlesriver (sourcetype=SqlServer_AppDB_Users OR sourcetype=SqlServer_RptDB_Users) | bucket span=1d _time | stats count first(_time) as Date by _time, UserName | table Date, UserName
]
| eval Date=strftime(Date,"%m/%d/%Y") | table Date, UserName, count | sort -Date
My raw data and props.conf look like this:
"TimeStamp","ServerName","HostName","DBName","UserName","LoginType","AssociatedRole"
"Dec 10 2013 12:36AM","426420-SQLCLUS1","426099-WELLDB1","ConfigLogging","dbo","WINDOWS_USER","db_owner"
NO_BINARY_CHECK = 1
pulldown_type = 1
HEADER_MODE = firstline
FIELD_DELIMITER=,
FIELD_QUOTE="
TIME_FORMAT=%b %d %Y %H:%M%p
TIMESTAMP_FIELDS=TimeStamp
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
andrewkenth
Communicator
12-12-2013
07:36 AM
Something seemed to have been wrong with my search string as this works:
index=charlesriver (sourcetype=SQLAPP_Events OR sourcetype=SQLRPT_Events) "Login succeeded for user "
| bucket span=1d _time | stats count first(_time) as Date by _time, SqlServerLogon | rename SqlServerLogon as UserName | table Date UserName count
| search NOT [ search
index=charlesriver sourcetype=SqlServer_AppDB_Users OR sourcetype=SqlServer_RptDB_Users | bucket span=1d _time | stats count first(_time) as Date by _time, UserName | table Date UserName | sort -Date
] | eval Date=strftime(Date,"%m/%d/%Y") | table Date, UserName, count | sort -Date
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
andrewkenth
Communicator
12-12-2013
07:36 AM
Something seemed to have been wrong with my search string as this works:
index=charlesriver (sourcetype=SQLAPP_Events OR sourcetype=SQLRPT_Events) "Login succeeded for user "
| bucket span=1d _time | stats count first(_time) as Date by _time, SqlServerLogon | rename SqlServerLogon as UserName | table Date UserName count
| search NOT [ search
index=charlesriver sourcetype=SqlServer_AppDB_Users OR sourcetype=SqlServer_RptDB_Users | bucket span=1d _time | stats count first(_time) as Date by _time, UserName | table Date UserName | sort -Date
] | eval Date=strftime(Date,"%m/%d/%Y") | table Date, UserName, count | sort -Date
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
aelliott
Motivator
12-12-2013
06:32 AM
try including the trim search command in the usernames to see if there are spaces after them.
Eval UserName=trim(SqlServerLogon)
Eval UserName=trim(UserName)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
andrewkenth
Communicator
12-11-2013
02:00 PM
Unexpected meaning I almost always have a match and this search shows that there are never matches. I can manually find the same Date/UserName combination value in each list.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kristian_kolb
Ultra Champion
12-11-2013
12:15 PM
...and perhaps I should ask, 'unexpected how?'?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kristian_kolb
Ultra Champion
12-11-2013
12:12 PM
what if you use fields + Date, Username instead of table at the end of the subsearch
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
andrewkenth
Communicator
12-11-2013
12:08 PM
They do appear to be correct. Only when I combine them do I see unexpected results.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
12-11-2013
10:15 AM
Try following
index=charlesriver (sourcetype=SQLAPP_Events OR sourcetype=SQLRPT_Events) "Login succeeded for user "
| bucket span=1d _time | stats count first(_time) as Date by SqlServerLogon | rename SqlServerLogon as UserName
|search [index=charlesriver (sourcetype=SqlServer_AppDB_Users OR sourcetype=SqlServer_RptDB_Users)
| bucket span=1d _time| stats first(_time) as Date by UserName]
| eval Date=strftime(Date,"%m/%d/%Y") | table Date, UserName, count | sort -Date
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
12-11-2013
01:07 PM
No, I have missed it. Please include NOT after "search" command in line 5 of search.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
andrewkenth
Communicator
12-11-2013
11:47 AM
Am I missing something though? I want everything in the 1st list that is NOT in the 2nd list. Shouldn't I be using the NOT search?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kristian_kolb
Ultra Champion
12-11-2013
10:13 AM
What do the results look like when you run the searches separately. Ok?
Get Updates on the Splunk Community!
There's No Place Like Chrome and the Splunk Platform
Watch On DemandMalware. Risky Extensions. Data Exfiltration. End-users are increasingly reliant on browsers to ...
The Great Resilience Quest: 5th Leaderboard Update
The fifth leaderboard update for The Great Resilience Quest is out >>
🏆 Check out the ...
Devesh Logendran, Splunk, and the Singapore Cyber Conquest
At this year’s Splunk University, I had the privilege of chatting with Devesh Logendran, one of the winners in ...
