Splunk Search

Null Question

raby1996
Path Finder

Null

Tags (1)
0 Karma

maciep
Champion

Like others have mentioned, you have way too much going on in that search for us to just immediately recognize what is wrong. But I think I can recommend some basic troubleshooting. Hopefully you've gone through this exercise already, but if not maybe now is the time.

Your search is complex. Do you have any idea where the error in logic shows ups? Does the base search work? If so, do you see the results you expect after the foreach? If so, does that mvzip do what you expect? And so on. Splunk's SPL isn't all or nothing. Start stepping through each phase of your search to try identify where the mistake is introduced. Start with the base search and pipes one at a time.

And if you have lots of data you're working with, change your base search to include one or two specific sources so that maybe the mistake will be more obvious when you get there.

Nobody here is going to be able to help you identify the issue without sample data. And even then, I think there's a lot of logic built into that search based on what you understand about this data, so we would still struggle to follow along. So just take it step by step on your own and should find the issue.

0 Karma

jkat54
SplunkTrust
SplunkTrust

"P.S. I should mention that the date I am extracting from from the event is the correct one, its just being listed wrong."

What do you mean "listed wrong"?

0 Karma

jkat54
SplunkTrust
SplunkTrust

Dude... if you want help with this, you gotta at least share some sample data.

0 Karma

raby1996
Path Finder

I apologize I've uploaded a screen shot with sample data

0 Karma

woodcock
Esteemed Legend

We really need some raw events to work through this.

0 Karma

raby1996
Path Finder

I apologize I've uploaded a screen shot with sample data

0 Karma

woodcock
Esteemed Legend

Not a screen shot and that is not raw event data. Post a comment with plain text raw data as text.

0 Karma

raby1996
Path Finder

Ok, I misunderstood, I won't be allowed to post the raw data online. I'll try and create something very similar that I can post, or create a new question that is more detailed, thank you again for your help.

0 Karma

MuS
SplunkTrust
SplunkTrust

something very similar will probably not work, because everyone will used the provided sample and if you use it on your real data....well, don't expect it to work. Only real events will provide real solutions.

0 Karma

woodcock
Esteemed Legend

The problem is that your search is so complicated that there is really now way to unwrap it to find the problem without good source data.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...