Re: Why is the top command not working when search...

lmedina · ‎12-08-2016

Hello all,

For some reason, the search below isn't working for me... I am trying to search for the Top 25 Business Units that have triggered a DLP incident and sort it by those incidents... Unsure if it's the lack of caffeine, but I was under the impression this would work...

(index=dlp OR index=msad) (sourcetype=intel:dlp OR sourcetype=ActiveDirectory)  IncidentType="*" department="*" 
| Top 25 department
| sort by IncidentType

Greatly appreciate your inputs.

puneethgowda · ‎12-08-2016

use double quote when for sourcetype=intel:dlp ---- sourcetype="intel:dlp"

lmedina · ‎12-08-2016

Thank you puneethgowda - but still no data... I've been trying other constants but no results.

puneethgowda · ‎12-08-2016

index=dlp sourcetype=intel:dlp OR index=msad sourcetype=ActiveDirectory

Try this

puneethgowda · ‎12-08-2016

index="dlp" sourcetype="intel:dlp" OR index="msad" sourcetype="ActiveDirectory"

add double quote

lmedina · ‎12-08-2016

Nope...

This is when the data comes...

(index=dlp OR index=msad) (sourcetype=intel:dlp OR sourcetype=ActiveDirectory)

sundareshr · ‎12-08-2016

Try this

(index=dlp OR index=msad) (sourcetype=intel:dlp OR sourcetype=ActiveDirectory) IncidentType="" department="" | top 25 department by IncidentType | sort by IncidentType

lmedina · ‎12-08-2016

Thank you sundareshr - but still no data... I've been trying other constants but no results.

Why is the top command not working when searching in two indexes?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life