Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Why is Splunk not finding all events based on a fi...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dbcase
Motivator
12-07-2016
02:11 PM
Hi,
I have a lookup file that looks like this (filename=12-07-16_CPEs.csv)
Cpe_ID
9c97265f6d0f
5898353e54ab
589835fe2726
5898353e6030
589835401594
9c9726adfbfe
9c972687d783
9c9726ec2bd9
9c9726ae14e2
589835feacf6
9c9726efaacb
c4ea1d2e7d4d
c4ea1d87340d
0876ff27acb2
58983540131f
9c972687aef3
9c9726ec1cfe
And a search that looks like this
index=cox SingleDeviceDebugger|rex "CpeId:\s(?<cpeid>\S+)"|search [| inputlookup 12-07-16_CPEs.csv | fields Cpe_ID | rename Cpe_ID as cpeid ]|sort cpeid|reverse|dedup cpeid|table cpeid
When the search runs, it only returns data that looks like the below, even though there are events that match other CPE IDs (see below query and results). What am I doing wrong?
cpeid
9c9726eedf22
9c9726eed8de
9c9726eec0f9
9c9726ee2d66
9c9726ed6a6f
9c9726ed6371
9c9726ed5732
9c9726ed4c6b
9c9726ed2b8f
9c9726ec2bd9
Search to verify that other CPEs do exist.
index=cox SingleDeviceDebugger 5898353e54ab
96 events (12/6/16 4:08:20.000 AM to 12/7/16 4:08:20.000 PM)
####<Dec 6, 2016 5:10:04 PM EST> <Debug> <ucontrol> <ccivirpxa0705.ABCcompany.com> <managedServer06> <client-6> <<anonymous>> <> <> <1481062204898> <BEA-000000> <fn.util.SingleDeviceDebugger - CpeId: 5898353e54ab :: SENT SMAP packet
<iq uri="/event/cameraMotion" type="result" id="1467295471" to="6344@xmpp/5898353e54ab">
<smap xmlns="http://ucontrol.com/smap/v2">
<eventResponse>
<id>1868330717</id>
<cpeGenId>6344.1467295471</cpeGenId>
</eventResponse>
</smap>
</iq>>
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dbcase
Motivator
12-07-2016
02:41 PM
Found it! Apparently when creating the input lookup file (using Excel in this case) you MUST use MS-DOS Comma Separated format
Other CSV formats listed in Excel give.... well unpredictable results....
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dbcase
Motivator
12-07-2016
02:41 PM
Found it! Apparently when creating the input lookup file (using Excel in this case) you MUST use MS-DOS Comma Separated format
Other CSV formats listed in Excel give.... well unpredictable results....
Get Updates on the Splunk Community!
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
Tuesday, May 14, 2024 | 11AM PT / 2PM ET
Register to Attend
Join us for this Tech Talk and learn how to ...
.conf24 | Personalize your .conf experience with Learning Paths!
Personalize your .conf24 Experience
Learning paths allow you to level up your skill sets and dive deeper ...
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...
