Dear Experts,
I am creating the custom search in ES app ,
| tstats allow_old_summaries=true dc(Authentication.src) as "Source",dc(Authentication.user) as "User" from datamodel=Authentication where nodename=Authentication.Successful_Authentication by "Authentication.user","Authentication.src" | rename "Authentication.user" as "User","Authentication.src" as "Source" | Where User="x" AND Source!="a" AND Source!="b" AND Source!="c"
Result : Above query is not working as expected.
I have a User=x which can be authenticated from 3 source.
I need to create the alert if user login from other than this 3 source , I should get the alert . Kindly help to enhance the query.
try backing out of your search and respond with where it is failing. For example take off:
| Where User="x" AND Source!="a" AND Source!="b" AND Source!="c"
what are the results of the search at that point? If it still fails take off more of the search so we can see what works and what doesn't.
as a first guess I would try replacing
| Where User="x" AND Source!="a" AND Source!="b" AND Source!="c"
with
| search User="x" Source!="a" OR Source!="b" OR Source!="c"
try backing out of your search and respond with where it is failing. For example take off:
| Where User="x" AND Source!="a" AND Source!="b" AND Source!="c"
what are the results of the search at that point? If it still fails take off more of the search so we can see what works and what doesn't.
as a first guess I would try replacing
| Where User="x" AND Source!="a" AND Source!="b" AND Source!="c"
with
| search User="x" Source!="a" OR Source!="b" OR Source!="c"
Other than that Where
should be where
, your search looks fine to me (assuming, as @rphillips_splunk said, the stuff before where
is OK)
The AND
-> OR
is definitely wrong.
Thanks rphillips,
I haven't tried the query as its weekend .will try on Monday
@woodcock - can u extend ur help in writing the query .Thanks