Splunk Search

multisearch

vmicovic2
Explorer

Dear,

couple hours i am trying to get:
i have one log with no similar way of words in one line... because of that i cannot get in one search what i need.
This two searches get what i need:
index=ise "authentication failed" "Administrator-Login"
index=ise "authentication failed" "UserName"
Now i want this two query to join in one and get results which admin login and user login have authentication failed...

thank you

0 Karma

vmicovic2
Explorer

succeeded with:
index=ise ("authentication failed" "Administrator-Login") OR ("authentication failed" "UserName")
| stats count by UserName
| append
[search index=ise ("authentication failed" "Administrator-Login") OR ("authentication failed" "UserName")
| stats count by AdminName]

0 Karma

493669
Super Champion

can you try-

index=ise  ("authentication failed" "Administrator-Login") OR ("authentication failed" "UserName")
0 Karma

vmicovic2
Explorer

seems that`s what i need, how now to sort it by count?

0 Karma

493669
Super Champion

try below-

...|sort 0 - count
0 Karma

vmicovic2
Explorer

yes that and make it like table, to visualize instead to show logs?

0 Karma

wedge22
Explorer

Use the

| table 

to create a table of any fields you are interested in, the results from the search should provide interesting fields on the left of the search panel, then use

| sort
0 Karma

vmicovic2
Explorer

nope, whatever i done, cannot get it...
what about multisearch?

0 Karma

vmicovic2
Explorer

hm, seems this is fine:
index=ise ("authentication failed" "Administrator-Login") OR ("authentication failed" "UserName")
| table AdminName UserName
| sort 0 - count

now i need instead couple same usernames in list, to be just counted, not repeated ...

0 Karma

493669
Super Champion

if you want to count by UserName and AdminName
then try-

...|stats count by UserName AdminName
0 Karma

vmicovic2
Explorer

with that 0 score.
With only "stats count by UserName" i see all except admin accounts...
so now, i need only more to show/include admin count..

0 Karma

vmicovic2
Explorer

which seems impossible and because of that i want to try multi search option?
but never used...

0 Karma

493669
Super Champion

which query did you tried? what is your sample output till now and what output you are expecting?

0 Karma

493669
Super Champion

to show in tabular format use table command and then specify your field names-

...|table fieldname

OR

...|table *
0 Karma

richgalloway
SplunkTrust
SplunkTrust

How about this?

index=ise "authentication failed" ("Administrator-Login" OR "UserName")
---
If this reply helps you, Karma would be appreciated.
0 Karma

vmicovic2
Explorer

in that query, i don`t see administrator logins... 😕

0 Karma

wedge22
Explorer

Can you try something like this?

index=ise authentication="failed" Administrator="Login"
| table UserName

I suggest adding a sourcetype to the search as well in the future.

0 Karma

vmicovic2
Explorer

this cannot be done, because logs are like syslog, and cannot search by that fields .. 😞

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...