Splunk Search

Why are my searches not returning any events unless I use a wildcard?

rgoody
New Member

Have source from cisco:asa with a field value of user.

The following search(s) will return all values for user:
(This search for example would return 30 events with a user value in 100%)
sourcetype=cisco:asa message_id=722051
(This search for example would return 30 events with a user value in 100%)

sourcetype=cisco:asa message_id=722051 user=*

If I attempt to get more specific on the user value like below, no results are found even though its found in the above search:
sourcetype=cisco:asa message_id=722051 user=testuser1234

If I attempt this search events are also returned:
sourcetype=cisco:asa message_id=722051 user=testuser*
or
sourcetype=cisco:asa message_id=722051 user=test*1234

So as long as my user= contains a wildcard results are found. What could be causing this issue?

Tags (2)
0 Karma

fdi01
Motivator

this search: sourcetype=cisco:asa message_id=722051 user=testuser1234 is very good
and retuned you events which sourcetype=cisco:asa ; message_id=722051 and user=testuser1234
if no results are found even though its found in the above search then,
you don't have a USER where user=testuser1234 simply in your data or events. or you don't write fine user value in your events.
if you want try this search to understand fine : sourcetype=cisco:asa message_id=722051 NOT(user=testuser1234)

sorry for my english.

0 Karma

btt
Path Finder

Hi, have you try with doublequote:
user="testuser1234"

0 Karma

rgoody
New Member

yes it returns the same result as doing it without the quotes.

0 Karma

aholzer
Motivator

Are you sure you don't have any special characters in the "user" field values that might be throwing off the comparison for you?

Try this, on the left side of your search screen there should be a list of "interesting fields". Expand the "user" field and select the value that you are looking for. This should add the filter to your search with the exact user value.

Hope this helps

0 Karma

rgoody
New Member

so when I do the search sourcetype=cisco:asa message_id=722051 and click on the user field it will show 32 events for say user testuser1234 then when I click to add that user to the search it will then only show 19 events.

0 Karma

aholzer
Motivator

That would be because only 19 of your original 32 events have that particular user in them. This sounds like the intended behavior. What are you expecting?

0 Karma

rgoody
New Member

No because if I just look at those same events without filter by user=testuser1234 all events have the user field in them with the user value of testuser1234.

So for example if testuser1234 logs-in the event is created and I can see the event with the user field and a value of testuser1234 but If I filter the search using user=testuser1234 that event is not found unless I filter with a wildcard such as user=test* or any other filter with a wildcard.

0 Karma

aholzer
Motivator

Let me get this straight.

When you run it with the user=test* you get 32 events, if you click the "user" field on the left "interesting fields" you get an entry for user="testuser1234" and a count of 32. But, when you click on said user to add the filter to your search, you then only receive 19 events in your results. Is this correct?

0 Karma

rgoody
New Member

Yes that is correct, no it is not a multi-value field

0 Karma

aholzer
Motivator

Is your user field a mv (multi-value) field, by any chance?

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...