- Community
- :
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- What are the functions of commas and periods in th...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was just wondering if the commas in this search are just to aid readability of the code, or if they are important to the functioning of the search.
All_Changes.src,All_Changes.Account_Management.src_nt_domain,All_Changes.user
Also, what is the function of the period in between "All_Changes" and "Account_Management.src_nt_domain".
Thank you for your help!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The commas are for readability (you can substitute w/space) and the periods could be to represent data hierarchy. So, All_Changes.src could mean the src node under All_Changes. This is applicable when your orginal data is represented either in JSON or XML format
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The commas are for readability (you can substitute w/space) and the periods could be to represent data hierarchy. So, All_Changes.src could mean the src node under All_Changes. This is applicable when your orginal data is represented either in JSON or XML format
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Great thank you for your answer!
So All_Changes.src,All_Changes.Account_Management.src_nt_domain,All_Changes.user
is the same as: All_Changes.src All_Changes.Account_Management.src_nt_domain All_Changes.user
So does that mean that there is an implied "AND" where the commas are? I recall learning that there is an implied AND between terms with spaces. Or is that only true regarding functions or commands?
Also, I found a definition on the Splunk website that stated that the definition for: All_Changes.src was: The resource where the change was originated. I'm not really sure what change that is talking about. My original search query was:
| tstats `summariesonly` count from datamodel=Change_Analysis where nodename=All_Changes.Account_Management All_Changes.result="lockout" by All_Changes.src,All_Changes.Account_Management.src_nt_domain,All_Changes.user | sort 100 - count | `drop_dm_object_name("All_Changes")` | `drop_dm_object_name("Account_Management")`
I think that the line I originally posted summarizes the statistics I'm getting with the tstats function but I'm not sure how it's summarizing the data as I don't have access to Splunk right now.
Thank you for all your help!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
One last thing,
What does the -- All_Changes.result="lockout" -- do?
Thank you so much for your help!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
All_Changes.result="lockout" filters all events in the datamodel where the value for result attribute in the datamodel called 'All_Changes" is "lockout"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok great thank you very much.
Splunk Observability Cloud | Customer Survey!
.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas
Starting With Observability: OpenTelemetry Best Practices
