Archive
Highlighted

Trying to search a Workday index for direct deposit change requests from unknown addressess

Engager

We use Workday as our payroll system and have a Workday add-on with logs in an index called dmcworkdayindex. I want to see the attempts over 5 to change direct deposit information within Workday that are coming from unknown source IP's. We thought something like below which works except for the last part referring to the != expression. I want something more efficient anyway. Hoping someone has a few good suggestions.

index=dmcworkdayindex taskDisplayName="Manage Payment Elections" | stats count by ipAddress | where (count > 5) ipAdress != "64.147.0.0/16"

0 Karma
Highlighted

Re: Trying to search a Workday index for direct deposit change requests from unknown addressess

SplunkTrust
SplunkTrust

you should try this

index=dmc_workday_index taskDisplayName="Manage Payment Elections"  ipAddress!="64.147.0.0/16"| stats count by ipAddress | where count > 5

Is there a field called ipAdress? and it has values in CIDR format? if not then you need to try this:

index=dmc_workday_index taskDisplayName="Manage Payment Elections"  ipAddress!="64.147.*"| stats count by ipAddress | where count > 5

let me know if this helps!

View solution in original post

0 Karma
Highlighted

Re: Trying to search a Workday index for direct deposit change requests from unknown addressess

Engager

That worked. Thank you so much for the quick reply.

0 Karma