Search returning too much

a212830 · ‎04-26-2012

Hi,

I want to query on eventtype, and my query is returning items that I don't want. My search is:

source="/var/opt/trapx/log/traps-all.log" tag::eventtype="SNMP" | fields eventtype, host |chart count by eventtype, host

The search is returning eventypes that aren't tagged with SNMP. I also tried running it with a match on eventtype directly (eventtype="*_Trap"), and it did the same thing. Any suggestions?

roumys · ‎04-26-2012

Verify what you search you had when you created your eventtype=SNMP
Should look similar to this:
source="/var/opt/trapx/log/traps-all.log" SNMP

(you don't even need to add SNMP as based on your log name it seems like everything inside should just be snmptrap logs)

save event as SNMP

and then use the query
source="/var/opt/trapx/log/traps-all.log" eventtype=SNMP | chart count by eventtype, host

(you don't need to add fields as when you chart it you are choosing the fields already.)

roumys · ‎04-26-2012

source="/var/opt/trapx/log/traps-all.log"| eval a=mvfilter(eventtype == SNMP) | search a=* | chart count by a, host

a212830 · ‎04-26-2012

OK. Did that, and it returns other eventtypes as well, which I didn't create (possibly system eventtypes?). It also returns "nix-all-logs" eventtypes.

Search returning too much

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases

Detecting Remote Code Executions With the Splunk Threat Research Team