Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Null Question

raby1996
Path Finder
‎07-07-2016 11:50 AM

Null

Tags (1)
0 Karma
Reply

maciep
Champion
‎07-07-2016 06:18 PM

Like others have mentioned, you have way too much going on in that search for us to just immediately recognize what is wrong. But I think I can recommend some basic troubleshooting. Hopefully you've gone through this exercise already, but if not maybe now is the time.

Your search is complex. Do you have any idea where the error in logic shows ups? Does the base search work? If so, do you see the results you expect after the foreach? If so, does that mvzip do what you expect? And so on. Splunk's SPL isn't all or nothing. Start stepping through each phase of your search to try identify where the mistake is introduced. Start with the base search and pipes one at a time.

And if you have lots of data you're working with, change your base search to include one or two specific sources so that maybe the mistake will be more obvious when you get there.

Nobody here is going to be able to help you identify the issue without sample data. And even then, I think there's a lot of logic built into that search based on what you understand about this data, so we would still struggle to follow along. So just take it step by step on your own and should find the issue.

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎07-07-2016 01:52 PM

"P.S. I should mention that the date I am extracting from from the event is the correct one, its just being listed wrong."

What do you mean "listed wrong"?

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎07-07-2016 12:08 PM

Dude... if you want help with this, you gotta at least share some sample data.

0 Karma
Reply

raby1996
Path Finder
‎07-07-2016 12:25 PM

I apologize I've uploaded a screen shot with sample data

0 Karma
Reply

woodcock
Esteemed Legend
‎07-07-2016 12:07 PM

We really need some raw events to work through this.

0 Karma
Reply

raby1996
Path Finder
‎07-07-2016 12:24 PM

I apologize I've uploaded a screen shot with sample data

0 Karma
Reply

woodcock
Esteemed Legend
‎07-07-2016 12:36 PM

Not a screen shot and that is not raw event data. Post a comment with plain text raw data as text.

0 Karma
Reply

raby1996
Path Finder
‎07-07-2016 12:51 PM

Ok, I misunderstood, I won't be allowed to post the raw data online. I'll try and create something very similar that I can post, or create a new question that is more detailed, thank you again for your help.

0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎07-07-2016 01:13 PM

something very similar will probably not work, because everyone will used the provided sample and if you use it on your real data....well, don't expect it to work. Only real events will provide real solutions.

0 Karma
Reply

woodcock
Esteemed Legend
‎07-07-2016 01:17 PM

The problem is that your search is so complicated that there is really now way to unwrap it to find the problem without good source data.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...