Splunk Search

Search dont work

Path Finder

Hi,
I want to show the number of all my downloads with a Splunk search, but the search shows never all downloads how i want it.
Here is my search:

index=abc sourcetype=xyz country="USA" | top limit=2000 filetype| rename count AS "number of downloads"

For exampel, this search doesn't show the filetype pdf.

But the search:
index abc sourcetype = xyz country="USA" filetype=pdf |top limit=2000 filetype| rename count AS "number of downloads"

show that there are a big number of pdf's

and when i change the search to

index abc sourcetype = xyz country="USA" filetype=pdf OR fieltype=txt |top limit=2000 filetype| rename count AS "number of downloads"

There are NO results displayed

With the search
index abc sourcetype = xyz country="USA" |top limit=2000 filetype|search filetype=pdf fieltype=txt |rename count AS "number of downloads there are no results displayed too.

Did anybody of you know a answer, what ist my fault? I want to show all filetypes, but it is important that the pdf's dont will be ignored.

Thank you very much for your help, and sorry if this is to incomprehensible.

Tags (2)
0 Karma

Builder

@cesarb, are you try by:

index abc sourcetype = xyz country="USA"  filetype=pdf OR fieltype=txt  |stats count by  filetype| sort -count 2000

can you share the result of this request please

0 Karma

Path Finder

Hi, thank you but it gives :"No results found. Try expanding the time range."

Here the screenshot: https://prnt.sc/j9ehea

When I just filter for pdf's, i get these result: https://prnt.sc/j9eilt

And i dont understand why it works for just pdf's, but not for more filters with an OR between it...

0 Karma

Builder

can you please try by all time in place to 7 days
and verifie its FileType not filetype

0 Karma

Path Finder

When i use all time i get a result of count 2 pdf's... This is not correctly

0 Karma

Could you try to add quotes around FileType field values and run the job in smart mode?

0 Karma

Path Finder

I've tried it, it dont work.

0 Karma

Legend

Hi cesarb,
at first you don't need to use the limit option

index=abc sourcetype=xyz country="USA" 
| top 2000 filetype
| rename count AS "number of downloads"

The first check you have to do is on the name of the field "filetype": is it correctly written?
if you copied it from a text editor there could be a non visible char (like tab).

Then perform the same check on sourcetype = xyz than one time has spaces and one time they aren't.

Then verify that filetype=pdf is correctly written: try using

filetype="*pdf*" 

maybe there's a space.

Then in

index abc sourcetype = xyz country="USA" filetype=pdf OR fieltype=txt 
|top limit=2000 filetype
| rename count AS "number of downloads"

the filetype field isn't correctly written.
Then the search

index abc sourcetype = xyz country="USA" 
|top limit=2000 filetype
|search filetype=pdf fieltype=txt 
|rename count AS "number of downloads

cannot match any result because I don't think that an event could have at the same time filetype=pdf AND filetype=txt (maybe you forgot an OR).

I hope to help you.
Bye.
Giuseppe

Path Finder

Thank you very much for your answer.
But the fields are all written correctly, I just do a mistake in this example here, also there is no space.
And i tried to do this with an OR but it dont work, I dont understand why,

index abc sourcetype = xyz country="USA" filetype=pdf OR fieltype=txt |top limit=2000 filetype| rename count AS "number of downloads"

shows 1 pdf
and

index abc sourcetype = xyz country="USA" filetype=pdf |top limit=2000 filetype| rename count AS "number of downloads"

shows 100 pdfs.

Nevertheless, thank you very much!:)

0 Karma

Ultra Champion

Any chance you can share some screenshots of the various searches you've been trying and their results (and also add one for a | stats count by filetype? Just to see if we can spot something out of the ordinary...

0 Karma

Path Finder

Yes i uploaded some screenshots.

This is the search without a filter --> no pdf shown
https://prnt.sc/j9deav

This is the search with filter for pdf'S
https://prnt.sc/j9dg9g

This is the search with filter on pdf OR txt ---> no results! Why? Just pdf gives results..
https://prnt.sc/j9dgrd

This is the search with the stats count by filtetype
https://prnt.sc/j9dhdj

I hope you can seen the screenshots, i cant upload the screens here.
Thank you for your help!:)

0 Karma

Ultra Champion

That's some really weird inconsistent behavior...

As someone already suggested in another comment: have you tried running these in smart mode rather than fast mode?

0 Karma

Path Finder

Yes, i've already tried this ...

0 Karma

Ultra Champion

Oh, I just noticed you added the stats count behind the top. Can you please run that without the top command before it?

0 Karma

Champion

Can you simply try :

index=abc sourcetype=xyz country="USA" | stats count AS "number of downloads" by filetype

Path Finder

Thanks but there is no different 😞

0 Karma

Explorer

Continuing on FrankVIs answer, you can also try to use count by as follows:

index=abc sourcetype=xyz country="USA" | stats count(filetype) AS "number of downloads" by filetype

If your amount of data is not incredibly large this should run just fine. From the results you should be able to see how many PDFs, txts etc. you have. Then you can conclude easily whether or not the PDFs will show up in the top limit=2000 filetype part of your query.

Also, Splunk has a built in "helper" to inspect your ran queries ("jobs"): Beneath the search input bar there is an item called "Job v" from which you can click "Inspect Job" to see some more information about it. Often if no results are returned this can give you some insights as to why no results were returned. In the case of your latter two queries it will likely say something along the lines of "couldn't run query: at ". Try it out some time, it can really be helpful!

Ultra Champion

Not sure why the PDFs don't show up. Is the number of those sufficient to expect it in the top 2000?

Your last 2 searches contain a typo: fieltype instead of filetype.

Path Finder

Yes, the number is really sufficient.. Its a big number...
Yes, i seen the spelling mistake, but it is just here in the example, in the real search is no spelling mistake

0 Karma