Splunk Search

No results using top command in Splunk 6.3

Explorer

Are there any issues with Splunk 6.3 and the top command? I am trying to run a query that works fine in 6.2 and below but recently upgraded Search Head to 6.3 no longer gives me any results. All the events show up with the top command removed. Also if I remove the transaction command, top will work for any field, issue starts once transaction is added.

index=mswindows sourcetype="WMI:WinEventLog:Security" host=103* Logon_Type=3 | transaction Logon_ID startswith=EventCode=4624 endswith=EventCode=4634 | eval duration=duration/60 | rangemap field=duration "<1min"=0-1 "1-2min"=1-2 "2-3min"=2-3 "3-4min"=3-4 "4-5min"=4-5 ">5min"=5-1000 | top range

Again this works great in older versions.

Tags (3)
0 Karma
1 Solution

Esteemed Legend

I suspect the problem is in the range command, not top, so try this:

index=mswindows sourcetype="WMI:WinEventLog:Security" host=103* Logon_Type=3 | transaction Logon_ID startswith=EventCode=4624 endswith=EventCode=4634 | eval duration=duration/60 | eval range = case(duration<1, "<1min", duration<2, "1-2min", duration<3, "2-3min", duration<4, "3-4min", duration<5, "4-5min", true(), ">5min") | top range

View solution in original post

0 Karma

Esteemed Legend

I suspect the problem is in the range command, not top, so try this:

index=mswindows sourcetype="WMI:WinEventLog:Security" host=103* Logon_Type=3 | transaction Logon_ID startswith=EventCode=4624 endswith=EventCode=4634 | eval duration=duration/60 | eval range = case(duration<1, "<1min", duration<2, "1-2min", duration<3, "2-3min", duration<4, "3-4min", duration<5, "4-5min", true(), ">5min") | top range

View solution in original post

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!