Splunk Cloud Platform
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

SPL help - enterprise security

iherb_0718
Path Finder
‎01-19-2021 01:22 PM

Trying to modify this default correlation search:

| from inputlookup:access_tracker | stats min(firstTime) as firstTime,max(lastTime) as lastTime by user | where ((now()-'lastTime')/86400)>90

I want to exclude from this search if the field "user" includes a value that begins with "bob"

Thanks in advance

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎01-19-2021 09:15 PM

Hi @iherb_0718,

I didn't notice pipe , normally there is no need from command also but below should work based on your correlation search;

| from inputlookup:access_tracker | where NOT user LIKE "bob%"
| stats min(firstTime) as firstTime,max(lastTime) as lastTime by user
| where ((now()-'lastTime')/86400)>90

or

| inputlookup access_tracker where user!="bob*"
| stats min(firstTime) as firstTime,max(lastTime) as lastTime by user 
| where ((now()-'lastTime')/86400)>90

 Both should be ok;

If this reply helps you an upvote is appreciated.

If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎01-19-2021 09:15 PM

Hi @iherb_0718,

I didn't notice pipe , normally there is no need from command also but below should work based on your correlation search;

| from inputlookup:access_tracker | where NOT user LIKE "bob%"
| stats min(firstTime) as firstTime,max(lastTime) as lastTime by user
| where ((now()-'lastTime')/86400)>90

or

| inputlookup access_tracker where user!="bob*"
| stats min(firstTime) as firstTime,max(lastTime) as lastTime by user 
| where ((now()-'lastTime')/86400)>90

 Both should be ok;

If this reply helps you an upvote is appreciated.

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply
Solved! Jump to solution

scelikok
SplunkTrust
SplunkTrust
‎01-19-2021 08:37 PM

Hi @iherb_0718,

You can use below;

| from inputlookup:access_tracker where user!="bob*"
| stats min(firstTime) as firstTime,max(lastTime) as lastTime by user 
| where ((now()-'lastTime')/86400)>90

 

If this reply helps you an upvote is appreciated.

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply
Solved! Jump to solution

iherb_0718
Path Finder
‎01-19-2021 08:45 PM

Sceikok,

that's exactly what I tried but it doesn't work.  By the way, there's a PIPE before the WHERE so i'm sure you meant it like this

 

| from inputlookup:access_tracker | where user!="bob*"
| stats min(firstTime) as firstTime,max(lastTime) as lastTime by user
| where ((now()-'lastTime')/86400)>90

 

The problem is it doesn't like the asterisk after bob.  If I type in an exact user, I can see it gets excluded. If I include the asterik, I see all the "BOBs"

0 Karma
Reply
Solved! Jump to solution

iherb_0718
Path Finder
‎01-19-2021 03:08 PM

anyone please?

0 Karma
Reply
Solved! Jump to solution

iherb_0718
Path Finder
‎01-19-2021 01:30 PM

Sceikok thanks for the quick response. I want to EXCLUDE bob.   Therefore what booleon would that be? It won't be "LIKE"

0 Karma
Reply
Solved! Jump to solution

scelikok
SplunkTrust
SplunkTrust
‎01-19-2021 01:26 PM

Hi @iherb_0718,

Please try this;

| from inputlookup:access_tracker where user LIKE "bob%"
| stats min(firstTime) as firstTime,max(lastTime) as lastTime by user 
| where ((now()-'lastTime')/86400)>90

 

If this reply helps you an upvote is appreciated.

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...