Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Search Returning some empty cells

evanbonner
New Member
‎04-29-2019 07:54 AM

Hi,
I'm pretty new to splunk searches and i am trying to report on successful logins for login types 7, 8, 10 and 11, but always one of my columns are empty depending on the time i pick, and the column is always different,

index=win* AND (EventCode=4624) AND (Logon_Type=7 OR Logon_Type=8 OR Logon_Type=10 OR Logon_Type=11) AND (host="DESKTOP*" OR host="LAPTOP*")
| bucket _time span=1w
| eval username = mvindex(Account_Name,1)
| dedup username consecutive=true
| eval dayTimeStr = strftime(_time,"%Y-%m-%d")
| chart count over username by host

I also pipe the data into a table command just to sort out the data for visual purposes.

0 0 0 0 0 0 N 0 5 0 0
0 0 0 0 0 0 N 0 4 0 0
7 51 0 0 0 0 N 0 0 0 0
0 0 13 0 0 0 N 0 0 0 0
0 0 0 14 0 0 N 0 0 0 0
0 0 0 0 22 0 N 0 0 0 0
0 0 0 0 0 19 N 0 0 0 0
0 0 0 0 0 0 N 4 39 0 0
0 0 0 0 0 0 N 0 0 5 0
0 0 0 0 0 0 N 0 0 0 34

The above is the count given to all users and the N column are null values showing as blank, and when i change the time span the null column switches to another column.

0 Karma
Reply

somesoni2
Revered Legend
‎04-29-2019 12:15 PM

Your search gives count events for the users who are logged into a particular host (machine). Now, not all users will log into all machines, so in your cross tables, there will be columns which will have 0 as count. What's the expected output from the search?

0 Karma
Reply

evanbonner
New Member
‎04-30-2019 01:12 AM

in the table i have all the computers with all the users for those computers on the same table so i would be expecting all the columns to be mostly Zeros in the column except where the user matches the machine, but the null column shifts across when i change the time range, for example, if i change the time range to 30 days, the neighbor column that had matching data turns to having null and the column that had nulls are showing correctly.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...