Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Search Returning some empty cells

evanbonner
New Member
‎04-29-2019 07:54 AM

Hi,
I'm pretty new to splunk searches and i am trying to report on successful logins for login types 7, 8, 10 and 11, but always one of my columns are empty depending on the time i pick, and the column is always different,

index=win* AND (EventCode=4624) AND (Logon_Type=7 OR Logon_Type=8 OR Logon_Type=10 OR Logon_Type=11) AND (host="DESKTOP*" OR host="LAPTOP*")
| bucket _time span=1w
| eval username = mvindex(Account_Name,1)
| dedup username consecutive=true
| eval dayTimeStr = strftime(_time,"%Y-%m-%d")
| chart count over username by host

I also pipe the data into a table command just to sort out the data for visual purposes.

0 0 0 0 0 0 N 0 5 0 0
0 0 0 0 0 0 N 0 4 0 0
7 51 0 0 0 0 N 0 0 0 0
0 0 13 0 0 0 N 0 0 0 0
0 0 0 14 0 0 N 0 0 0 0
0 0 0 0 22 0 N 0 0 0 0
0 0 0 0 0 19 N 0 0 0 0
0 0 0 0 0 0 N 4 39 0 0
0 0 0 0 0 0 N 0 0 5 0
0 0 0 0 0 0 N 0 0 0 34

The above is the count given to all users and the N column are null values showing as blank, and when i change the time span the null column switches to another column.

0 Karma
Reply

somesoni2
Revered Legend
‎04-29-2019 12:15 PM

Your search gives count events for the users who are logged into a particular host (machine). Now, not all users will log into all machines, so in your cross tables, there will be columns which will have 0 as count. What's the expected output from the search?

0 Karma
Reply

evanbonner
New Member
‎04-30-2019 01:12 AM

in the table i have all the computers with all the users for those computers on the same table so i would be expecting all the columns to be mostly Zeros in the column except where the user matches the machine, but the null column shifts across when i change the time range, for example, if i change the time range to 30 days, the neighbor column that had matching data turns to having null and the column that had nulls are showing correctly.

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...