Splunk Search

search to find Bush's stolen watch

ledion
Path Finder

Does anyone know how to craft a search to find George Bush's stolen watch?

Tags (1)

skoelpin
SplunkTrust
SplunkTrust

Yeah, try this

index=... sourcetype=... 
| stats count(watch) by president
| search president="Bush_W"
| rename count(watch) AS passed_to_secret_service_agent
| eval where_is_stolen_watch=if(passed_to_secret_service_agent>0,"The U.S. gov forgot to give it back","The watch was stolen")
| table president where_is_stolen_watch

martin_mueller
SplunkTrust
SplunkTrust

Nuh-uh. Stats count by field will never yield zeroes.

0 Karma

paulbannister
Communicator

Indeed, you'd have to table all the presidents afterwards and fillnull to get those zeroes, that could get tedious, are we also assuming that both pocket and wrist have been classified under the watch field?

0 Karma

skoelpin
SplunkTrust
SplunkTrust

Line 3 will narrow down to only search "Bush_W". When I googled this scenario, the first thing I saw was that the secret service grabbed it before it was stolen and never gave it back, so I went with it. The answer will always return this if that president ever owned a watch

**President**  | **Where_is_stolen_watch**
Bush_W             | "The U.S. gov forgot to give it back
0 Karma

DalJeanis
SplunkTrust
SplunkTrust

SInce there are so many presidents and watches in the index, you'd want to be in the habit of checking identity of the president first, rather than wasting all those mips counting up the other couple of hundred records.

Also, since typists may get confused between the various George Bush presidents, and because the name can appear in various forms, you might be better off testing for something like...

| search (first_name="George" AND last_name="Bush") OR president_number = 43

ledion
Path Finder

don't we need some geostats ?

0 Karma

yannK
Splunk Employee
Splunk Employee

Only if it was a smart watch with GPS positioning.

0 Karma
Get Updates on the Splunk Community!

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

 Clayton Homes faced the increased challenge of strengthening their security posture as they went through ...

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

We’re happy to announce the release of Mission Control 2.3 which includes several new and exciting features ...

Cloud Platform | Migrating your Splunk Cloud deployment to Python 3.7

Python 2.7, the last release of Python 2, reached End of Life back on January 1, 2020. As part of our larger ...