Training + Certification Discussions

For SPLUNK Training Task 6 in Exercise 9 is failing with No results found and the sourcetype is db_audit, why?

rtrevino
New Member

I'm taking the SPLUNK Introductory course and in Exercise 9 Task 6 I'm getting an error of No results found for searching the db_audit database. Does anyone know about why this is happening?

Tags (2)
0 Karma

niketn
Legend

As per the response from Splunk Education team

"This is data that is downloaded and ingested during the module for lab 4. It is not tied to the DB Connect app. It is a standard Database Audit log output from a Postgres database"

So in case Lab 9 is Task 6 does not work, go back to Lab 4.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

adonio
Ultra Champion

hello there,
task 6 in exercise 9 is about showperc on the access_combine data
" Use the showperc option of top to remove percent from the display. "
please take another look at lab module 4 and verify you followed all the steps to index the db_audit csv file
hope it helps

0 Karma

spacechick365
New Member

task 6 in exercise 9 is using the stats avg command on the db_audit database to find the duration of each of the queries. I am also having the same problem of no results being found. I also tried to search all of the db_audit and still got the error that no results were returned. I re-uploaded the data and am still having he same results. Thank you if anyone can help.

0 Karma

niketn
Legend

Can you add the detailed step and query from the Task which is not running? Is it index=_audit or db_audit?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

niketn
Legend

I think db_audit sourcetype is applicable for DB Connect App. However, if you are going through Lab excercises to practice and test some commands, you can apply them to some other sourcetype and change field names accordingly. Can you please add the search which you want to practice?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

niketn
Legend

If you just want to practice top command you can try the following run anywhere search as far as you have the access to query Splunk's _internal index:

index=_internal sourcetype=splunkd log_level="ERROR"
| top 10 component showperc=f showcount=t

For us to help you with specific issue with your query you might have to add the query and sample data here.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...