Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Not getting any data

Michael_Schyma1
Contributor
‎07-17-2012 09:09 AM 
index="Server" (CategoryString="Account Management" OR TaskCategory="Security Group Management" ) (Message="Security Enabled*" OR Message="A member was added to a*") ( EventCode=632 OR EventCode=636 OR EventCode=4728 OR EventCode=4732) | top member, group, caller, name, host, Security_ID | fields member, group, caller, name, host, Security_ID| eval caller = if(isnull(Account_Name), Caller_User_Name, mvindex(Account_Name,0)) | eval member = if(isnull(Account_Name), Member_Name, mvindex(Account_Name,1)) | eval group = if(isnull(Target_Account_Name), Group_Name, Target_Account_Name) | search group="*Domain Admins" OR “*Administrators” OR “*ACCOUNT OPERATORS” OR “*Enterprise Admins” OR “*Schema Admins”|  rename _time AS Time member AS Username group AS Group caller AS "Action by" name AS "Description" host AS "DC" Security_ID AS "Initiator Details" | convert timeformat="%m/%d/%Y %H:%M:%S %p" ctime(Time)

I am having a hard time figuring out why no information is being displayed through the top and fields command.

Tags (1)
0 Karma
Reply

Michael_Schyma1
Contributor
‎07-17-2012 09:49 AM

at the top command

0 Karma
Reply

Ayn
Legend
‎07-17-2012 09:37 AM

top is a command that transforms the search results, so if it gets raw input, it will not pass on that raw input to the commands coming after it in the search pipeline. So, once you've run top field1 for instance, the information available to the rest of the commands will only be the results produced by top (values for field1, count and percent). So, when you run rename _time AS Time for instance, that doesn't make sense because at that stage in the search pipeline the _time field doesn't exist anymore.

Perhaps you could explain a bit more what you want to accomplish with your search?

Reply

Ayn
Legend
‎07-17-2012 09:57 AM

What chart? What kind of output are you expecting? I don't see any charting commands in your search (besides top that I guess could count as a charting command)

0 Karma
Reply

Michael_Schyma1
Contributor
‎07-17-2012 09:53 AM

I did lol but i still dont see the fields displaying in my chart below the search

0 Karma
Reply

Ayn
Legend
‎07-17-2012 09:52 AM

Well perhaps remove it? 😛

0 Karma
Reply

Michael_Schyma1
Contributor
‎07-17-2012 09:50 AM

because i was going to add it in eventually, but i cant even get the feilds to display

0 Karma
Reply

Ayn
Legend
‎07-17-2012 09:50 AM

Then why are you using it?

0 Karma
Reply

Michael_Schyma1
Contributor
‎07-17-2012 09:48 AM

I just want to display all of the feilds, i do not even need the top function yet.

0 Karma
Reply

gnovak
Builder
‎07-17-2012 09:30 AM

| fields member, group, caller, name, host, Security_ID|

Try putting a space after Security_ID and the |

Does that do anything?

0 Karma
Reply

gnovak
Builder
‎07-17-2012 09:22 AM

Have you tried doing the search bit by bit? Where does it fail for you?

0 Karma
Reply
Get Updates on the Splunk Community!

Explore the Latest Educational Offerings from Splunk [January 2025 Updates]

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...