Archive
Highlighted

Trying to search a Workday index for direct deposit change requests from unknown addressess

Engager

We use Workday as our payroll system and have a Workday add-on with logs in an index called dmcworkdayindex. I want to see the attempts over 5 to change direct deposit information within Workday that are coming from unknown source IP's. We thought something like below which works except for the last part referring to the != expression. I want something more efficient anyway. Hoping someone has a few good suggestions.

index=dmcworkdayindex taskDisplayName="Manage Payment Elections" | stats count by ipAddress | where (count > 5) ipAdress != "64.147.0.0/16"

0 Karma
Highlighted

Re: Trying to search a Workday index for direct deposit change requests from unknown addressess

SplunkTrust
SplunkTrust

you should try this

index=dmc_workday_index taskDisplayName="Manage Payment Elections"  ipAddress!="64.147.0.0/16"| stats count by ipAddress | where count > 5

Is there a field called ipAdress? and it has values in CIDR format? if not then you need to try this:

index=dmc_workday_index taskDisplayName="Manage Payment Elections"  ipAddress!="64.147.*"| stats count by ipAddress | where count > 5

let me know if this helps!

View solution in original post

0 Karma
Highlighted

Re: Trying to search a Workday index for direct deposit change requests from unknown addressess

Engager

That worked. Thank you so much for the quick reply.

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.