Splunk Search

Help to Write the Custom Query

sumit29
Path Finder

Dear Experts,

I am creating the custom search in ES app ,

| tstats allow_old_summaries=true dc(Authentication.src) as "Source",dc(Authentication.user) as "User" from datamodel=Authentication where nodename=Authentication.Successful_Authentication by "Authentication.user","Authentication.src" | rename "Authentication.user" as "User","Authentication.src" as "Source" | Where User="x" AND Source!="a" AND Source!="b" AND Source!="c"

Result : Above query is not working as expected.

I have a User=x which can be authenticated from 3 source.

I need to create the alert if user login from other than this 3 source , I should get the alert . Kindly help to enhance the query.

Tags (1)
0 Karma
1 Solution

rphillips_splk
Splunk Employee
Splunk Employee

try backing out of your search and respond with where it is failing. For example take off:
| Where User="x" AND Source!="a" AND Source!="b" AND Source!="c"

what are the results of the search at that point? If it still fails take off more of the search so we can see what works and what doesn't.

as a first guess I would try replacing

| Where User="x" AND Source!="a" AND Source!="b" AND Source!="c"

with

| search User="x" Source!="a" OR Source!="b" OR Source!="c"

View solution in original post

0 Karma

rphillips_splk
Splunk Employee
Splunk Employee

try backing out of your search and respond with where it is failing. For example take off:
| Where User="x" AND Source!="a" AND Source!="b" AND Source!="c"

what are the results of the search at that point? If it still fails take off more of the search so we can see what works and what doesn't.

as a first guess I would try replacing

| Where User="x" AND Source!="a" AND Source!="b" AND Source!="c"

with

| search User="x" Source!="a" OR Source!="b" OR Source!="c"

0 Karma

woodcock
Esteemed Legend

Other than that Where should be where, your search looks fine to me (assuming, as @rphillips_splunk said, the stuff before where is OK)

0 Karma

woodcock
Esteemed Legend

The AND -> OR is definitely wrong.

0 Karma

sumit29
Path Finder

Thanks rphillips,

I haven't tried the query as its weekend .will try on Monday

@woodcock - can u extend ur help in writing the query .Thanks

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...