Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Null Question

raby1996
Path Finder
‎07-07-2016 11:50 AM

Null

Tags (1)
0 Karma
Reply

maciep
Champion
‎07-07-2016 06:18 PM

Like others have mentioned, you have way too much going on in that search for us to just immediately recognize what is wrong. But I think I can recommend some basic troubleshooting. Hopefully you've gone through this exercise already, but if not maybe now is the time.

Your search is complex. Do you have any idea where the error in logic shows ups? Does the base search work? If so, do you see the results you expect after the foreach? If so, does that mvzip do what you expect? And so on. Splunk's SPL isn't all or nothing. Start stepping through each phase of your search to try identify where the mistake is introduced. Start with the base search and pipes one at a time.

And if you have lots of data you're working with, change your base search to include one or two specific sources so that maybe the mistake will be more obvious when you get there.

Nobody here is going to be able to help you identify the issue without sample data. And even then, I think there's a lot of logic built into that search based on what you understand about this data, so we would still struggle to follow along. So just take it step by step on your own and should find the issue.

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎07-07-2016 01:52 PM

"P.S. I should mention that the date I am extracting from from the event is the correct one, its just being listed wrong."

What do you mean "listed wrong"?

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎07-07-2016 12:08 PM

Dude... if you want help with this, you gotta at least share some sample data.

0 Karma
Reply

raby1996
Path Finder
‎07-07-2016 12:25 PM

I apologize I've uploaded a screen shot with sample data

0 Karma
Reply

woodcock
Esteemed Legend
‎07-07-2016 12:07 PM

We really need some raw events to work through this.

0 Karma
Reply

raby1996
Path Finder
‎07-07-2016 12:24 PM

I apologize I've uploaded a screen shot with sample data

0 Karma
Reply

woodcock
Esteemed Legend
‎07-07-2016 12:36 PM

Not a screen shot and that is not raw event data. Post a comment with plain text raw data as text.

0 Karma
Reply

raby1996
Path Finder
‎07-07-2016 12:51 PM

Ok, I misunderstood, I won't be allowed to post the raw data online. I'll try and create something very similar that I can post, or create a new question that is more detailed, thank you again for your help.

0 Karma
Reply

MuS
Legend
‎07-07-2016 01:13 PM

something very similar will probably not work, because everyone will used the provided sample and if you use it on your real data....well, don't expect it to work. Only real events will provide real solutions.

0 Karma
Reply

woodcock
Esteemed Legend
‎07-07-2016 01:17 PM

The problem is that your search is so complicated that there is really now way to unwrap it to find the problem without good source data.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...