Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Search Returning some empty cells

evanbonner
New Member
‎04-29-2019 07:54 AM

Hi,
I'm pretty new to splunk searches and i am trying to report on successful logins for login types 7, 8, 10 and 11, but always one of my columns are empty depending on the time i pick, and the column is always different,

index=win* AND (EventCode=4624) AND (Logon_Type=7 OR Logon_Type=8 OR Logon_Type=10 OR Logon_Type=11) AND (host="DESKTOP*" OR host="LAPTOP*")
| bucket _time span=1w
| eval username = mvindex(Account_Name,1)
| dedup username consecutive=true
| eval dayTimeStr = strftime(_time,"%Y-%m-%d")
| chart count over username by host

I also pipe the data into a table command just to sort out the data for visual purposes.

0 0 0 0 0 0 N 0 5 0 0
0 0 0 0 0 0 N 0 4 0 0
7 51 0 0 0 0 N 0 0 0 0
0 0 13 0 0 0 N 0 0 0 0
0 0 0 14 0 0 N 0 0 0 0
0 0 0 0 22 0 N 0 0 0 0
0 0 0 0 0 19 N 0 0 0 0
0 0 0 0 0 0 N 4 39 0 0
0 0 0 0 0 0 N 0 0 5 0
0 0 0 0 0 0 N 0 0 0 34

The above is the count given to all users and the N column are null values showing as blank, and when i change the time span the null column switches to another column.

0 Karma
Reply

somesoni2
Revered Legend
‎04-29-2019 12:15 PM

Your search gives count events for the users who are logged into a particular host (machine). Now, not all users will log into all machines, so in your cross tables, there will be columns which will have 0 as count. What's the expected output from the search?

0 Karma
Reply

evanbonner
New Member
‎04-30-2019 01:12 AM

in the table i have all the computers with all the users for those computers on the same table so i would be expecting all the columns to be mostly Zeros in the column except where the user matches the machine, but the null column shifts across when i change the time range, for example, if i change the time range to 30 days, the neighbor column that had matching data turns to having null and the column that had nulls are showing correctly.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

Data Management Digest – May 2026

Welcome to the May 2026 edition of Data Management Digest!   As your trusted partner in data innovation, the ...