- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Re: Can you help on 2 similar requests that don't ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you help on 2 similar requests that don't have the same results?
Hi
I use two requests that are almost the same.
First request :
eventtype=Flag OR eventtype=Model
| rex "Model=(?<model>.*)"
| stats values(model) as Model by host
| stats dc(host) as host by Model
| sort -model limit=5
This request doesn't return values because the eventtype=flag,which corresponds to index="windows-fr" sourcetype="tools:flags" filename="TOTO*" is not respected
Second request
eventtype=Flag OR eventtype=NATCO
| eval NATCO=if(key_path="\\registry\\machine\\software\\wow6432node\\xx\\master\\ConfigurationCountry",data, null)
| stats values(NATCO) as NATCO by host
| stats dc(host) as host by NATCO | sort -NATCO limit=5
I have a value for these request even if I also use the eventtype=Flag
Normally it should be also empty
what is the problem please?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this instead for your first search (which has several mistakes):
index=* AND (eventtype=Flag OR eventtype=Model)
| rex "Model=(?<model>.*)"
| eval model=coalesce(model, "WAS_NULL")
| stats dc(host) AS host by Model
| sort 5 -Model
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
eventtype=Flag OR eventtype=NATCO
If eventtype=NATCO returns events, it should be normal that you have some results, shouldn't it ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
NO
eventtype returns also results but
the stats(values) is used for doing a match between the two eventtype
So if eventtype= Flag is KO i have to have no results in others eventtype
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In the second query if you use only "eventtype=NATCO" (instead of "eventtype=Flag OR eventtype=NATCO") do you have the same result?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes I have the same result
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
in fact I want to have a result if the condition mentionned in eventtype=Flag
(index="windows-fr" sourcetype="tools:flags" filename="TOTO*)" is OK
If the condition is KO I dont want results
Enterprise Security Content Update (ESCU) | New Releases
Detecting Remote Code Executions With the Splunk Threat Research Team
Observability | Use Synthetic Monitoring for Website Metadata Verification
