Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Using lookup table within tstats

losttranslation
New Member
‎03-10-2024 09:45 PM

Hi All,

I am attempting to use lookup table "is_windows_system_file"  for the following SPL where the Processes.process_name needs to match the filename from the lookup table. Once these results are obtained I then want to attempt to see processes that are not running from C:\Windows\System32 or C:\Windows\SysWOW64 

 

| tstats `summariesonly` count from datamodel=Endpoint.Processes where Processes.process_name=* by Processes.aid Processes.dest Processes.process_name Processes.process _time

 



Labels (4)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-11-2024 07:43 AM

As I understand it, you want the tstats command to look only for process names in the lookup file.  You can do that with a subsearch

| tstats `summariesonly` count from datamodel=Endpoint.Processes where [|inputlookup is_windows_system_file" 
  | fields filename 
  | rename filename as "Processes.process_name" 
  | format] by Processes.aid Processes.dest Processes.process_name Processes.process _time

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...