- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Splunk Events Do Not Show for recent dates
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, I am using the rex command to extra information on the automation and having it count the number of times a host is logged into . Here is my search:
While this function does work, I notice it only works for the dates from November 21st and before. But it doesn't seem to count any dates after that for some reason. See screen shots for my data. They are exactly the same and the December 2nd field should be extracting in Splunk, but it is not.
Help would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Resolved my issue. It was simply because the index was set to "monitoring", but did not take into account "windows." I simply added OR index="windows" to my query and it pulled the data correctly.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Resolved my issue. It was simply because the index was set to "monitoring", but did not take into account "windows." I simply added OR index="windows" to my query and it pulled the data correctly.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Greetings @harshparikhxlrd,
This could be a number of things. First off, if you're using Splunk_TA_Windows (on your search head(s)), you should not need to rex out all of these values - it is done for you automatically.
Anyway, to your question, can you verify for me that they always return results? When you do where Auto = "SDA_E_AuditLog" and ... by log, Splunk will discard all null values (for Auto and log). To check for this, try the search below:
index=monitoring sourcetype="PEGA:WinEventLog:Application" (SourceName="RoboticLogging" OR SourceName="Application") (Type="Information")
| rex field=_raw "Automation=\"(?<Auto>.+?)\""
| where Auto = "SDA_E_AuditLog" OR isnull(Auto)
| rex field=_raw "Message=\"(?<log>.+?)\""
| eval log = if(isnull(log),"Unknown",'log')
| timechart dc(host) by log
Cheers,
Jacob
Jacob
If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @jacobevans,
This is the results I receive when I run the search:
https://imgur.com/n5g5hmo
So, I do get results, it for some reason will not count the one in December 2nd. There are a few other dates that should be showing up too: 11/23, 11/25, 11/26, & 11/29, and 12/02. (The other ones have similar to the 12/02).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@jacobevans
When I run the search you put, I get 1 unknown value for November 17th.
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
