Training + Certification Discussions
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

For SPLUNK Training Task 6 in Exercise 9 is failing with No results found and the sourcetype is db_audit, why?

rtrevino
New Member
‎06-03-2017 11:32 AM

I'm taking the SPLUNK Introductory course and in Exercise 9 Task 6 I'm getting an error of No results found for searching the db_audit database. Does anyone know about why this is happening?

Tags (2)
0 Karma
Reply

niketn
Legend
‎04-16-2018 09:38 AM

As per the response from Splunk Education team

"This is data that is downloaded and ingested during the module for lab 4. It is not tied to the DB Connect app. It is a standard Database Audit log output from a Postgres database"

So in case Lab 9 is Task 6 does not work, go back to Lab 4.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

adonio
Ultra Champion
‎06-04-2017 02:21 PM

hello there,
task 6 in exercise 9 is about showperc on the access_combine data
" Use the showperc option of top to remove percent from the display. "
please take another look at lab module 4 and verify you followed all the steps to index the db_audit csv file
hope it helps

0 Karma
Reply

spacechick365
New Member
‎08-06-2017 11:18 AM

task 6 in exercise 9 is using the stats avg command on the db_audit database to find the duration of each of the queries. I am also having the same problem of no results being found. I also tried to search all of the db_audit and still got the error that no results were returned. I re-uploaded the data and am still having he same results. Thank you if anyone can help.

0 Karma
Reply

niketn
Legend
‎08-06-2017 11:38 AM

Can you add the detailed step and query from the Task which is not running? Is it index=_audit or db_audit?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

niketn
Legend
‎08-06-2017 08:43 PM

I think db_audit sourcetype is applicable for DB Connect App. However, if you are going through Lab excercises to practice and test some commands, you can apply them to some other sourcetype and change field names accordingly. Can you please add the search which you want to practice?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

niketn
Legend
‎06-06-2017 01:11 AM

If you just want to practice top command you can try the following run anywhere search as far as you have the access to query Splunk's _internal index:

index=_internal sourcetype=splunkd log_level="ERROR"
| top 10 component showperc=f showcount=t

For us to help you with specific issue with your query you might have to add the query and sample data here.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...