cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
sbadger
Explorer
Member since: ‎10-05-2012
‎05-06-2022
Community Statistics
Posts 6
Solutions 1
Karma Given 1
Karma Received 1
Member Since ‎10-05-2012
Activity Feed
View All

Re: How to combine search results with multiple fi...

by in Splunk Search
‎07-24-2014 07:16 AM
‎07-24-2014 07:16 AM
This is what I ended up with: (index=main sourcetype="syslog" host="ssh-server" "session opened for user" ) OR (sourcetype="MDT") OR (host="ssh-server" who:) OR (source=webapps/var-log/httpd/log*) | eval login=upper(userLogin) | eval op_code=upper(EMP_ID) | fields login status | dedup login | eval status="OK" | inputlookup employees.csv append=t | search NOT status=R | search NOT status=K | search NOT status=Q | stats count by login | where count<2 Thank you to everyone that helped out! ... View more

Re: How to combine search results with multiple fi...

by in Splunk Search
‎07-23-2014 08:30 AM
‎07-23-2014 08:30 AM
I am wanting to get full_name, login, op_code, back as the return results. Currently I am getting several false hits from all of the sources. I haven't been able to even get 2 of them combined before it begins to return false hits. ... View more

Re: How to combine search results with multiple fi...

by in Splunk Search
‎07-23-2014 08:27 AM
‎07-23-2014 08:27 AM
I like the way this one looks, but it failed to return any results ... View more

Re: How to combine search results with multiple fi...

by in Splunk Search
‎07-23-2014 08:20 AM
‎07-23-2014 08:20 AM
This resulted in 40 more false hits than the original one. Can you highlight the changes you made? ... View more

Re: How to combine search results with multiple fi...

by in Splunk Search
‎07-23-2014 05:59 AM
‎07-23-2014 05:59 AM
I am trying to get a list of employees that have not logged into those systems in the last x number of days to be displayed. I did test them interdependently but every time I combine them my results are wrong. It is like the method I am using to combine them is not working at all. I am hoping someone here can point out where the error may be. ... View more

How to combine search results with multiple fields...

by in Splunk Search
‎07-22-2014 02:11 PM
1 Karma
‎07-22-2014 02:11 PM
1 Karma
I am trying to combine the search results from 3 separate sources logs and then compare the results against it against a employee list and display only the items in the employees.csv that don't show up in the search. The employees.csv contains some users that have a special status so I need to exclude those from the search as well. Here is my search term: |inputlookup employees.csv | search NOT status="*" | search NOT [ search [ search index=main sourcetype="syslog" host="ssh-server" "session opened for user" | dedup userLogin | eval login = upper(userLogin)| fields login] | append [search sourcetype="MDT" | dedup EMP_ID | eval op_code = upper(EMP_ID)| fields op_code] | append [search host="ssh-server" who: | dedup userLogin | eval login = upper(userLogin)| fields login] | append [search source=webapps/var-log/httpd/log* | dedup userLogin | eval login = upper(userLogin)| fields login ] ] employees.csv ---------- has the following fileds: full_name, login, op_code, status search NOT status="*" -------- is used to exclude those employees with a special status from the CSV search NOT [ search [ search index=main sourcetype="syslog" host="ssh-server" "session opened for user" | dedup userLogin | eval login = upper(userLogin)| fields login ------ pull the ssh logins from the server dedup the userLogin field, convert it to uppercase and call it login to match the CSV field. search sourcetype="MDT" | dedup EMP_ID | eval op_code = upper(EMP_ID)| fields op_code] -------- pull the logins from MDT field is called EMP_ID and then converted to uppercase and converted to op_code for the CSV. search host="ssh-server" who: | dedup userLogin | eval login = upper(userLogin)| fields login --------- a script dumps the users currently logged in to the syslog with the tag of "who:" in them. This is done to catch users who have been logged in for a long time frame. search source=webapps/var-log/httpd/log* | dedup userLogin | eval login = upper(userLogin)| fields login -------- Pull user logins from the web server convert the userLogin to uppercase and call it login to match the CSV file. I hope this breakdown helps explain my search. The goal of this is to find employees that have not logged into the system in a set time frame. I get good results running each search independently but when I combine them I get bad results so I am missing something. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎05-06-2022 09:56 PM
Karma from
View All
Karma given to
View All