Hello, I am using the rex command to extra information on the automation and having it count the number of times a host is logged into . Here is my search:
While this function does work, I notice it only works for the dates from November 21st and before. But it doesn't seem to count any dates after that for some reason. See screen shots for my data. They are exactly the same and the December 2nd field should be extracting in Splunk, but it is not.
Help would be appreciated.
Resolved my issue. It was simply because the index was set to "monitoring", but did not take into account "windows." I simply added OR index="windows" to my query and it pulled the data correctly.
Resolved my issue. It was simply because the index was set to "monitoring", but did not take into account "windows." I simply added OR index="windows" to my query and it pulled the data correctly.
Greetings @harshparikhxlrd,
This could be a number of things. First off, if you're using Splunk_TA_Windows (on your search head(s)), you should not need to rex out all of these values - it is done for you automatically.
Anyway, to your question, can you verify for me that they always return results? When you do where Auto = "SDA_E_AuditLog"
and ... by log
, Splunk will discard all null values (for Auto and log). To check for this, try the search below:
index=monitoring sourcetype="PEGA:WinEventLog:Application" (SourceName="RoboticLogging" OR SourceName="Application") (Type="Information")
| rex field=_raw "Automation=\"(?<Auto>.+?)\""
| where Auto = "SDA_E_AuditLog" OR isnull(Auto)
| rex field=_raw "Message=\"(?<log>.+?)\""
| eval log = if(isnull(log),"Unknown",'log')
| timechart dc(host) by log
Cheers,
Jacob
Hello @jacobevans,
This is the results I receive when I run the search:
https://imgur.com/n5g5hmo
So, I do get results, it for some reason will not count the one in December 2nd. There are a few other dates that should be showing up too: 11/23, 11/25, 11/26, & 11/29, and 12/02. (The other ones have similar to the 12/02).
@jacobevans
When I run the search you put, I get 1 unknown value for November 17th.