Solved: No results using top command in Splunk 6.3

matt4321 · ‎10-18-2015

Are there any issues with Splunk 6.3 and the top command? I am trying to run a query that works fine in 6.2 and below but recently upgraded Search Head to 6.3 no longer gives me any results. All the events show up with the top command removed. Also if I remove the transaction command, top will work for any field, issue starts once transaction is added.

index=mswindows sourcetype="WMI:WinEventLog:Security" host=103* Logon_Type=3 | transaction Logon_ID startswith=EventCode=4624 endswith=EventCode=4634 | eval duration=duration/60 | rangemap field=duration "<1min"=0-1 "1-2min"=1-2 "2-3min"=2-3 "3-4min"=3-4 "4-5min"=4-5 ">5min"=5-1000 | top range

Again this works great in older versions.

woodcock · ‎10-19-2015

I suspect the problem is in the range command, not top, so try this:

index=mswindows sourcetype="WMI:WinEventLog:Security" host=103* Logon_Type=3 | transaction Logon_ID startswith=EventCode=4624 endswith=EventCode=4634 | eval duration=duration/60 | eval range = case(duration<1, "<1min", duration<2, "1-2min", duration<3, "2-3min", duration<4, "3-4min", duration<5, "4-5min", true(), ">5min") | top range

View solution in original post

woodcock · ‎10-19-2015

I suspect the problem is in the range command, not top, so try this:

index=mswindows sourcetype="WMI:WinEventLog:Security" host=103* Logon_Type=3 | transaction Logon_ID startswith=EventCode=4624 endswith=EventCode=4634 | eval duration=duration/60 | eval range = case(duration<1, "<1min", duration<2, "1-2min", duration<3, "2-3min", duration<4, "3-4min", duration<5, "4-5min", true(), ">5min") | top range

No results using top command in Splunk 6.3

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio