- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: search show results not existing in logs.
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
search show results not existing in logs.
Hi Splunker;
I have the below search:
index=winevents host=prdaddc02 OR host=PRDADDC01 OR host=DZITHQ-DC3 sourcetype="WinEventLog:Security" signature="An account was successfully logged on" OR signature="Special privileges assigned to new logon" src_nt_host=* NOT [| inputlookup list_kasperSky.csv] NOT [| inputlookup list_not_use_kasperSky.csv] | fields src_nt_host | table src_nt_host | dedup src_nt_host
This search compare between the above lookups table and the windows security logs, if any host not existing in those lookups table but existing in windows logs will appear in the result, this search compare for (src_nt_host) field.
After run the search Splunk show result no existing in windows logs, why appeared this results?
Please help me in that.
BR;
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The issue may have to do with what is in your csv files.
This reformatted version should give you the same (lack of) result as your code, but run it first anyway.
index=winevents sourcetype="WinEventLog:Security" src_nt_host=*
(host=prdaddc02 OR host=PRDADDC01 OR host=DZITHQ-DC3)
(signature="An account was successfully logged on" OR signature="Special privileges assigned to new logon")
| where NOT [| inputlookup list_kasperSky.csv] AND
NOT [| inputlookup list_not_use_kasperSky.csv]
| fields src_nt_host
| table src_nt_host
| dedup src_nt_host
If that works, then stop. the problem will have been the way the bloom filters work. I can explain that if it fixes the problem.
If that does not work, then run these as separate searches...
| inputlookup list_kasperSky.csv | head 10 | format
| inputlookup list_not_use_kasperSky.csv | head 10 | format
Those will give you a look at how the code is interpreting and formatting your NOTs. It will look something like
((fieldname1="value1A" AND fieldname2="value2A" AND...) OR
(fieldname1="value1B" AND fieldname2="value2B" AND...) OR
....)
Check to make sure that what you are doing makes sense.
Let us know what you find, and we will continue to help you debug.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi DalJeanis;
Thank you for reply.
I have used the above search but change
| where NOT [| inputlookup list_kasperSky.csv] AND
NOT [| inputlookup list_not_use_kasperSky.csv] because not work to:
NOT [inputlookup list_kasper.csv]
NOT [inputlookup list_not_use_kasper.csv]
and when execute | inputlookup list_kasperSky.csv | head 10 | format you can see the results:
( ( src_nt_host="ABH-QAHTANIMS" ) OR ( src_nt_host="HQR-AALTHAWAD" ) OR ( src_nt_host="HQR-NAFJANMA" ) OR ( src_nt_host="TBK-CAM1" ) OR ( src_nt_host="HQR-ANAZIAB" ) OR ( src_nt_host="HQR-CE2" ) OR ( src_nt_host="DAM-OWAMA" ) OR ( src_nt_host="HQR-AGENT337" ) OR ( src_nt_host="HQR-GALHAZZAN-T" ) OR ( src_nt_host="HQR-HABAHUSSAIN" ) )
the issue still not resolve..
Please advise me in that
BR
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
