Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Search dont work

cesarb
Path Finder
‎04-23-2018 03:27 AM

Hi,
I want to show the number of all my downloads with a Splunk search, but the search shows never all downloads how i want it.
Here is my search:

index=abc sourcetype=xyz country="USA" | top limit=2000 filetype| rename count AS "number of downloads"

For exampel, this search doesn't show the filetype pdf.

But the search:
index abc sourcetype = xyz country="USA" filetype=pdf |top limit=2000 filetype| rename count AS "number of downloads"

show that there are a big number of pdf's

and when i change the search to

index abc sourcetype = xyz country="USA" filetype=pdf OR fieltype=txt |top limit=2000 filetype| rename count AS "number of downloads"

There are NO results displayed

With the search
index abc sourcetype = xyz country="USA" |top limit=2000 filetype|search filetype=pdf fieltype=txt |rename count AS "number of downloads there are no results displayed too.

Did anybody of you know a answer, what ist my fault? I want to show all filetypes, but it is important that the pdf's dont will be ignored.

Thank you very much for your help, and sorry if this is to incomprehensible.

Tags (2)
0 Karma
Reply

TISKAR
Builder
‎04-24-2018 03:00 AM

@cesarb, are you try by:

index abc sourcetype = xyz country="USA"  filetype=pdf OR fieltype=txt  |stats count by  filetype| sort -count 2000

can you share the result of this request please

0 Karma
Reply

cesarb
Path Finder
‎04-24-2018 03:18 AM

Hi, thank you but it gives :"No results found. Try expanding the time range."

Here the screenshot: https://prnt.sc/j9ehea

When I just filter for pdf's, i get these result: https://prnt.sc/j9eilt

And i dont understand why it works for just pdf's, but not for more filters with an OR between it...

0 Karma
Reply

TISKAR
Builder
‎04-24-2018 03:32 AM

can you please try by all time in place to 7 days
and verifie its FileType not filetype

0 Karma
Reply

cesarb
Path Finder
‎04-24-2018 03:40 AM

When i use all time i get a result of count 2 pdf's... This is not correctly

0 Karma
Reply

damien_chillet
Builder
‎04-24-2018 03:27 AM

Could you try to add quotes around FileType field values and run the job in smart mode?

0 Karma
Reply

cesarb
Path Finder
‎04-24-2018 11:34 PM

I've tried it, it dont work.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-23-2018 07:14 AM

Hi cesarb,
at first you don't need to use the limit option

index=abc sourcetype=xyz country="USA" 
| top 2000 filetype
| rename count AS "number of downloads"

The first check you have to do is on the name of the field "filetype": is it correctly written?
if you copied it from a text editor there could be a non visible char (like tab).

Then perform the same check on sourcetype = xyz than one time has spaces and one time they aren't.

Then verify that filetype=pdf is correctly written: try using 

filetype="*pdf*"

maybe there's a space.

Then in 

index abc sourcetype = xyz country="USA" filetype=pdf OR fieltype=txt 
|top limit=2000 filetype
| rename count AS "number of downloads"

the filetype field isn't correctly written.
Then the search

index abc sourcetype = xyz country="USA" 
|top limit=2000 filetype
|search filetype=pdf fieltype=txt 
|rename count AS "number of downloads

cannot match any result because I don't think that an event could have at the same time filetype=pdf AND filetype=txt (maybe you forgot an OR).

I hope to help you.
Bye.
Giuseppe

Reply

cesarb
Path Finder
‎04-24-2018 12:52 AM

Thank you very much for your answer.
But the fields are all written correctly, I just do a mistake in this example here, also there is no space.
And i tried to do this with an OR but it dont work, I dont understand why,

index abc sourcetype = xyz country="USA" filetype=pdf OR fieltype=txt |top limit=2000 filetype| rename count AS "number of downloads"

shows 1 pdf
and

index abc sourcetype = xyz country="USA" filetype=pdf |top limit=2000 filetype| rename count AS "number of downloads"

shows 100 pdfs.

Nevertheless, thank you very much!:)

0 Karma
Reply

FrankVl
Ultra Champion
‎04-24-2018 01:21 AM

Any chance you can share some screenshots of the various searches you've been trying and their results (and also add one for a | stats count by filetype? Just to see if we can spot something out of the ordinary...

0 Karma
Reply

cesarb
Path Finder
‎04-24-2018 02:03 AM

Yes i uploaded some screenshots.

This is the search without a filter --> no pdf shown
https://prnt.sc/j9deav

This is the search with filter for pdf'S
https://prnt.sc/j9dg9g

This is the search with filter on pdf OR txt ---> no results! Why? Just pdf gives results..
https://prnt.sc/j9dgrd

This is the search with the stats count by filtetype
https://prnt.sc/j9dhdj

I hope you can seen the screenshots, i cant upload the screens here.
Thank you for your help!:)

0 Karma
Reply

FrankVl
Ultra Champion
‎04-25-2018 12:29 AM

That's some really weird inconsistent behavior...

As someone already suggested in another comment: have you tried running these in smart mode rather than fast mode?

0 Karma
Reply

cesarb
Path Finder
‎04-25-2018 12:54 AM

Yes, i've already tried this ...

0 Karma
Reply

FrankVl
Ultra Champion
‎04-25-2018 02:15 AM

Oh, I just noticed you added the stats count behind the top. Can you please run that without the top command before it?

0 Karma
Reply

p_gurav
Champion
‎04-23-2018 07:04 AM

Can you simply try :

index=abc sourcetype=xyz country="USA" | stats count AS "number of downloads" by filetype
Reply

cesarb
Path Finder
‎04-24-2018 12:52 AM

Thanks but there is no different 😞

0 Karma
Reply

koenV
Explorer
‎04-23-2018 06:49 AM

Continuing on FrankVIs answer, you can also try to use count by as follows:

index=abc sourcetype=xyz country="USA" | stats count(filetype) AS "number of downloads" by filetype

If your amount of data is not incredibly large this should run just fine. From the results you should be able to see how many PDFs, txts etc. you have. Then you can conclude easily whether or not the PDFs will show up in the top limit=2000 filetype part of your query.

Also, Splunk has a built in "helper" to inspect your ran queries ("jobs"): Beneath the search input bar there is an item called "Job v" from which you can click "Inspect Job" to see some more information about it. Often if no results are returned this can give you some insights as to why no results were returned. In the case of your latter two queries it will likely say something along the lines of "couldn't run query: at ". Try it out some time, it can really be helpful!

Reply

FrankVl
Ultra Champion
‎04-23-2018 06:36 AM

Not sure why the PDFs don't show up. Is the number of those sufficient to expect it in the top 2000?

Your last 2 searches contain a typo: fieltype instead of filetype.

Reply

cesarb
Path Finder
‎04-24-2018 12:54 AM

Yes, the number is really sufficient.. Its a big number...
Yes, i seen the spelling mistake, but it is just here in the example, in the real search is no spelling mistake

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...