Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Search Returning some empty cells
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Search Returning some empty cells
Hi,
I'm pretty new to splunk searches and i am trying to report on successful logins for login types 7, 8, 10 and 11, but always one of my columns are empty depending on the time i pick, and the column is always different,
index=win* AND (EventCode=4624) AND (Logon_Type=7 OR Logon_Type=8 OR Logon_Type=10 OR Logon_Type=11) AND (host="DESKTOP*" OR host="LAPTOP*")
| bucket _time span=1w
| eval username = mvindex(Account_Name,1)
| dedup username consecutive=true
| eval dayTimeStr = strftime(_time,"%Y-%m-%d")
| chart count over username by host
I also pipe the data into a table command just to sort out the data for visual purposes.
0 0 0 0 0 0 N 0 5 0 0
0 0 0 0 0 0 N 0 4 0 0
7 51 0 0 0 0 N 0 0 0 0
0 0 13 0 0 0 N 0 0 0 0
0 0 0 14 0 0 N 0 0 0 0
0 0 0 0 22 0 N 0 0 0 0
0 0 0 0 0 19 N 0 0 0 0
0 0 0 0 0 0 N 4 39 0 0
0 0 0 0 0 0 N 0 0 5 0
0 0 0 0 0 0 N 0 0 0 34
The above is the count given to all users and the N column are null values showing as blank, and when i change the time span the null column switches to another column.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your search gives count events for the users who are logged into a particular host (machine). Now, not all users will log into all machines, so in your cross tables, there will be columns which will have 0 as count. What's the expected output from the search?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
in the table i have all the computers with all the users for those computers on the same table so i would be expecting all the columns to be mostly Zeros in the column except where the user matches the machine, but the null column shifts across when i change the time range, for example, if i change the time range to 30 days, the neighbor column that had matching data turns to having null and the column that had nulls are showing correctly.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
