Re: Why is the top command not working when search...

lmedina · ‎12-08-2016

Hello all,

For some reason, the search below isn't working for me... I am trying to search for the Top 25 Business Units that have triggered a DLP incident and sort it by those incidents... Unsure if it's the lack of caffeine, but I was under the impression this would work...

(index=dlp OR index=msad) (sourcetype=intel:dlp OR sourcetype=ActiveDirectory)  IncidentType="*" department="*" 
| Top 25 department
| sort by IncidentType

Greatly appreciate your inputs.

puneethgowda · ‎12-08-2016

use double quote when for sourcetype=intel:dlp ---- sourcetype="intel:dlp"

lmedina · ‎12-08-2016

Thank you puneethgowda - but still no data... I've been trying other constants but no results.

puneethgowda · ‎12-08-2016

index=dlp sourcetype=intel:dlp OR index=msad sourcetype=ActiveDirectory

Try this

puneethgowda · ‎12-08-2016

index="dlp" sourcetype="intel:dlp" OR index="msad" sourcetype="ActiveDirectory"

add double quote

lmedina · ‎12-08-2016

Nope...

This is when the data comes...

(index=dlp OR index=msad) (sourcetype=intel:dlp OR sourcetype=ActiveDirectory)

sundareshr · ‎12-08-2016

Try this

(index=dlp OR index=msad) (sourcetype=intel:dlp OR sourcetype=ActiveDirectory) IncidentType="" department="" | top 25 department by IncidentType | sort by IncidentType

lmedina · ‎12-08-2016

Thank you sundareshr - but still no data... I've been trying other constants but no results.

Why is the top command not working when searching in two indexes?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases