Splunk Search

multisearch

vmicovic2
Explorer

Dear,

couple hours i am trying to get:
i have one log with no similar way of words in one line... because of that i cannot get in one search what i need.
This two searches get what i need:
index=ise "authentication failed" "Administrator-Login"
index=ise "authentication failed" "UserName"
Now i want this two query to join in one and get results which admin login and user login have authentication failed...

thank you

0 Karma

vmicovic2
Explorer

succeeded with:
index=ise ("authentication failed" "Administrator-Login") OR ("authentication failed" "UserName")
| stats count by UserName
| append
[search index=ise ("authentication failed" "Administrator-Login") OR ("authentication failed" "UserName")
| stats count by AdminName]

0 Karma

493669
Super Champion

can you try-

index=ise  ("authentication failed" "Administrator-Login") OR ("authentication failed" "UserName")
0 Karma

vmicovic2
Explorer

seems that`s what i need, how now to sort it by count?

0 Karma

493669
Super Champion

try below-

...|sort 0 - count
0 Karma

vmicovic2
Explorer

yes that and make it like table, to visualize instead to show logs?

0 Karma

wedge22
Explorer

Use the

| table 

to create a table of any fields you are interested in, the results from the search should provide interesting fields on the left of the search panel, then use

| sort
0 Karma

vmicovic2
Explorer

nope, whatever i done, cannot get it...
what about multisearch?

0 Karma

vmicovic2
Explorer

hm, seems this is fine:
index=ise ("authentication failed" "Administrator-Login") OR ("authentication failed" "UserName")
| table AdminName UserName
| sort 0 - count

now i need instead couple same usernames in list, to be just counted, not repeated ...

0 Karma

493669
Super Champion

if you want to count by UserName and AdminName
then try-

...|stats count by UserName AdminName
0 Karma

vmicovic2
Explorer

with that 0 score.
With only "stats count by UserName" i see all except admin accounts...
so now, i need only more to show/include admin count..

0 Karma

vmicovic2
Explorer

which seems impossible and because of that i want to try multi search option?
but never used...

0 Karma

493669
Super Champion

which query did you tried? what is your sample output till now and what output you are expecting?

0 Karma

493669
Super Champion

to show in tabular format use table command and then specify your field names-

...|table fieldname

OR

...|table *
0 Karma

richgalloway
SplunkTrust
SplunkTrust

How about this?

index=ise "authentication failed" ("Administrator-Login" OR "UserName")
---
If this reply helps you, Karma would be appreciated.
0 Karma

vmicovic2
Explorer

in that query, i don`t see administrator logins... 😕

0 Karma

wedge22
Explorer

Can you try something like this?

index=ise authentication="failed" Administrator="Login"
| table UserName

I suggest adding a sourcetype to the search as well in the future.

0 Karma

vmicovic2
Explorer

this cannot be done, because logs are like syslog, and cannot search by that fields .. 😞

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...