Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why am I getting the wrong search results?

pbnl
Path Finder
‎08-23-2022 05:07 AM

i have this dropdown which produces correct results:

 

 

 

      <input type="dropdown" token="tUser" searchWhenChanged="true">
        <label>User Name</label>
        <choice value="*">All</choice>
        <default>*</default>
        <fieldForLabel>numUsername</fieldForLabel>
        <fieldForValue>username</fieldForValue>
        <search>
          <query>index=tvlog
            | stats count AS "Quantity" by username
            | strcat username " (" Quantity ")" numUsername
        </query>
          <earliest>$tokEarliestTime$</earliest>
          <latest>$tokLatestTime$</latest>
        </search>
      </input>

 

 

 

there's, among other's, one user named "Support Sul" and an additional user named "Support SuL 2". both show up in the dropdown with the correct number of connections (Quantity).
BUT when i select  "Support SuL" from the dropdown, the resulting table contains both users.
even worse: when i select "Support SuL 2", i get all "Support SuL 2" users and some "Support SuL" users.
this is the table:

 

 

 

 

      <table>
        <search>
          <query>index=tvlog $tUser$
            | table start_date, end_date, duration, username, devicename
            | sort start_date desc
            | rename start_date as "Start Date"
            | rename end_date as "End Date"
            | rename username as "User Name"
            | rename devicename as "Device Name"
          </query>
          <earliest>$tokEarliestTime$</earliest>
          <latest>$tokLatestTime$</latest>
        </search>
        <option name="count">20</option>
        <option name="drilldown">none</option>
      </table>

 

 

 

 

 the source file is a simple utf-8 encoded csv.

what's wrong here?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎08-25-2022 11:44 PM

You can try

index=tvlog username="$tUser$"

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-23-2022 05:20 AM

Try something like this

index=tvlog TERM(username=$tUser|s$)

or 

index=tvlog
| where username=$tUser|s$
0 Karma
Reply
Solved! Jump to solution

pbnl
Path Finder
‎08-23-2022 05:39 AM

thank's for the answer, but none of your proposals returns a result 😞

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-24-2022 12:42 AM

Can you provide some sample events in a code block </> so we can see what you are dealing with?

0 Karma
Reply
Solved! Jump to solution

pbnl
Path Finder
‎08-24-2022 01:34 AM

i'm not really sure what you mean. i copied now two events resulting this search
index=tvlog "support sul"
it shows 324 events containing user "Support SuL" and "Support SuL 2"

index=tvlog username="support sul"
shows 161 results with only user "Support SuL"

index=tvlog username="support sul 2"
shows 163 results  with only user "Support SuL 2"

2022-08-08 11:25:57,2022-08-08 11:33:52,"0:07:55",cabb2212-93b4-42e9-b890-2be47b841d82,u173443428,"Support SuL",230088210,PC1102,g170315939,PC1102 date_hour = 11date_mday = 8date_minute = 25date_month = augustdate_second = 
57date_wday = mondaydate_year = 2022date_zone = localeventtype = nix-all-logshost = srv141index = tvloglinecount = 1source = /opt/splunkforwarder/etc/apps/PBNL_getTVlog/log/TVlog.csvsourcetype = csvsplunk_server = srv091splunk_server_group = dmc_group_indexer splunk_server_group = dmc_indexerclustergroup_SplunkClusterPBNLtimeendpos = 27timestartpos = 0

2022-08-05 06:58:45,2022-08-05 14:00:26,"7:01:41",d3e88821-f7b7-45bd-a18d-91d2dc147458,u174066842,"Support SuL 2",265385451,PC1153,g162593205,PC1153 date_hour = 6date_mday = 5date_minute = 58date_month = augustdate_second = 45date_wday = fridaydate_year = 2022date_zone = localeventtype = nix-all-logshost = srv141index = tvloglinecount = 1source = /opt/splunkforwarder/etc/apps/PBNL_getTVlog/log/TVlog.csvsourcetype = csvsplunk_server = srv091splunk_server_group = dmc_group_indexer splunk_server_group = dmc_indexerclustergroup_SplunkClusterPBNLtimeendpos = 27timestartpos = 0

 these searches are all correct, but in the dashboard i need to deal with the token $tUser$.

0 Karma
Reply
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎08-25-2022 11:44 PM

You can try

index=tvlog username="$tUser$"
Reply
Solved! Jump to solution

pbnl
Path Finder
‎08-25-2022 11:49 PM

sorry, i forgot to update. after you proposed username=="$tUser$" i tried username="$tUser$" and that did the trick 😉
thank you...

0 Karma
Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎08-23-2022 08:42 AM 
index=tvlog
| where username=="$tUser$"
0 Karma
Reply
Solved! Jump to solution

pbnl
Path Finder
‎08-24-2022 12:22 AM

tried that too without success

0 Karma
Reply
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...