Hi all,
i wrote this query that shows me when certain SSIDs are matched.
sourcetype=rogap SSID="*skynet*" OR SSID="*skymobile*" OR SSID="*skyguest*" | table src AP_name MAC SSID channelNumber location
All the fields in the query are correctly parsed in verbose mode. The query shows the correct results both in fast and verbose mode, but when i put it in a correlation search in Enterprise Security i have no results.
I modified the search to find the error. If i put this search:
sourcetype=rogap skynet | fields src AP_name MAC SSID channelNumber location | fillnull value=null | table src AP_name MAC SSID channelNumber location
i have result but all the fields are "null".
src AP_name MAC SSID channelNumber location
null null null null null null
So i think the problem is that in the correlation search Splunk can't check the SSID value and so it doesn't return any results.
How can i solve this problem?
I already tried to use `|fields ....|` with no results
Thanks
↧