Splunk Search

Splunk Events Do Not Show for recent dates

harshparikhxlrd
Path Finder

Hello, I am using the rex command to extra information on the automation and having it count the number of times a host is logged into . Here is my search:

While this function does work, I notice it only works for the dates from November 21st and before. But it doesn't seem to count any dates after that for some reason. See screen shots for my data. They are exactly the same and the December 2nd field should be extracting in Splunk, but it is not.

Help would be appreciated.

0 Karma
1 Solution

harshparikhxlrd
Path Finder

Resolved my issue. It was simply because the index was set to "monitoring", but did not take into account "windows." I simply added OR index="windows" to my query and it pulled the data correctly.

View solution in original post

0 Karma

harshparikhxlrd
Path Finder

Resolved my issue. It was simply because the index was set to "monitoring", but did not take into account "windows." I simply added OR index="windows" to my query and it pulled the data correctly.

0 Karma

jacobpevans
Motivator

Greetings @harshparikhxlrd,

This could be a number of things. First off, if you're using Splunk_TA_Windows (on your search head(s)), you should not need to rex out all of these values - it is done for you automatically.

Anyway, to your question, can you verify for me that they always return results? When you do where Auto = "SDA_E_AuditLog" and ... by log, Splunk will discard all null values (for Auto and log). To check for this, try the search below:

index=monitoring sourcetype="PEGA:WinEventLog:Application" (SourceName="RoboticLogging" OR SourceName="Application") (Type="Information")
| rex field=_raw "Automation=\"(?<Auto>.+?)\""
| where Auto = "SDA_E_AuditLog" OR isnull(Auto)
| rex field=_raw "Message=\"(?<log>.+?)\""
| eval log = if(isnull(log),"Unknown",'log')
| timechart dc(host) by log

Cheers,
Jacob

Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.
0 Karma

harshparikhxlrd
Path Finder

Hello @jacobevans,

This is the results I receive when I run the search:
https://imgur.com/n5g5hmo

So, I do get results, it for some reason will not count the one in December 2nd. There are a few other dates that should be showing up too: 11/23, 11/25, 11/26, & 11/29, and 12/02. (The other ones have similar to the 12/02).

0 Karma

harshparikhxlrd
Path Finder

@jacobevans

When I run the search you put, I get 1 unknown value for November 17th.

0 Karma
Get Updates on the Splunk Community!

Dashboard Studio Challenge - Learn New Tricks, Showcase Your Skills, and Win Prizes!

Reimagine what you can do with your dashboards. Dashboard Studio is Splunk’s newest dashboard builder to ...

Introducing Edge Processor: Next Gen Data Transformation

We get it - not only can it take a lot of time, money and resources to get data into Splunk, but it also takes ...

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey. Last year’s ...