Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Search Returning some empty cells

evanbonner
New Member
‎04-29-2019 07:54 AM

Hi,
I'm pretty new to splunk searches and i am trying to report on successful logins for login types 7, 8, 10 and 11, but always one of my columns are empty depending on the time i pick, and the column is always different,

index=win* AND (EventCode=4624) AND (Logon_Type=7 OR Logon_Type=8 OR Logon_Type=10 OR Logon_Type=11) AND (host="DESKTOP*" OR host="LAPTOP*")
| bucket _time span=1w
| eval username = mvindex(Account_Name,1)
| dedup username consecutive=true
| eval dayTimeStr = strftime(_time,"%Y-%m-%d")
| chart count over username by host

I also pipe the data into a table command just to sort out the data for visual purposes.

0 0 0 0 0 0 N 0 5 0 0
0 0 0 0 0 0 N 0 4 0 0
7 51 0 0 0 0 N 0 0 0 0
0 0 13 0 0 0 N 0 0 0 0
0 0 0 14 0 0 N 0 0 0 0
0 0 0 0 22 0 N 0 0 0 0
0 0 0 0 0 19 N 0 0 0 0
0 0 0 0 0 0 N 4 39 0 0
0 0 0 0 0 0 N 0 0 5 0
0 0 0 0 0 0 N 0 0 0 34

The above is the count given to all users and the N column are null values showing as blank, and when i change the time span the null column switches to another column.

0 Karma
Reply

somesoni2
Revered Legend
‎04-29-2019 12:15 PM

Your search gives count events for the users who are logged into a particular host (machine). Now, not all users will log into all machines, so in your cross tables, there will be columns which will have 0 as count. What's the expected output from the search?

0 Karma
Reply

evanbonner
New Member
‎04-30-2019 01:12 AM

in the table i have all the computers with all the users for those computers on the same table so i would be expecting all the columns to be mostly Zeros in the column except where the user matches the machine, but the null column shifts across when i change the time range, for example, if i change the time range to 30 days, the neighbor column that had matching data turns to having null and the column that had nulls are showing correctly.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...