Re: Unable to see correct result after running spl...

su_kumar · ‎07-14-2019

issue : Unable to see correct result after running query.
I have lookup file .CSV which consists some field (AD group,user ID) and have event log which consists field (user ID , IP address, malware , DNS.)
AD.CSV :
The file has field AD group,user ID
AD_group user ID
AD1 John
AD2 John
AD2 Robert
AD1 Juhi
AD3 John
AD1 Rubi
AD4 Ruba
AD2 Jen

Event log :
The event has some field user ID , IP address, malware , DNS .
here only user ID is common in .CSV and event log
but AD_group filed is available in only .CSV file
when running below query :
index=main AD_group="AD1" | table user_id AD_group
output :
user_id AD_group
John AD1
John AD2
John AD3
Juhi AD1
Rubi AD1
here trying to search only AD1 group in query but getting result three AD group(AD1,AD2,AD3) where user_id name John is common in these 3 groups .
why i am getting unexpected result here ?

HiroshiSatoh · ‎07-14-2019

The above search statement does not produce that result. Please provide a complete search statement.

Unable to see correct result after running splunk query

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Fun with Regular Expression - multiples of nine

Are you a member of the Splunk Community?

Unable to see correct result after running splunk query

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Fun with Regular Expression - multiples of nine