All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

| stats list(RelativeTargetName) as RelativeTargetName by src_ip, src_user,host_fqdn | where mvcount(RelativeTargetName) = 4
Hi, thanks for the answer, but i don't want to expand the multi value field. So this is not what iam looking for
What is with the asterisks? Remove them and try again
Your field names possibly have dots in them? Try this way | eval Name_B=json_array_to_mv(json_keys(json_extract_exact(field,Name_A)))
hi have you tried mvexpand list(RelativeTargetName)
With that option, exclude input was ignored. But if with this one changes it can apply exclude input only one value. | search user_name=$user_name$ dest=$host_name$ process="$user_command$" NOT pro... See more...
With that option, exclude input was ignored. But if with this one changes it can apply exclude input only one value. | search user_name=$user_name$ dest=$host_name$ process="$user_command$" NOT process IN (*$exclude_command$*)  If search terms as quoted strings delimited by commas e.g. "commandA","commandB" it give no result:
yes seems fine now ^^ I used the lookup definition in the lookup command thank you !
Below is the sample for the field "NotExportedParameters". The hidden part are not fixed string, it can be different every time.  What I want to get is as below: hidden part reason part... See more...
Below is the sample for the field "NotExportedParameters". The hidden part are not fixed string, it can be different every time.  What I want to get is as below: hidden part reason part1 ValueOutOfRange part2 ValueOutOfRange ... .. part 6 SchemaValidation
Hi Team, i have a search that query's for 4 IN conditions and then list them. The search works fine but i need help with one request. I only want to display the events that fulfill all 4 conditions ... See more...
Hi Team, i have a search that query's for 4 IN conditions and then list them. The search works fine but i need help with one request. I only want to display the events that fulfill all 4 conditions within the IN statement: Search: index=wineventlog EventCode=5145 file_name="\\\\*\\IPC$" RelativeTargetName IN (samr,lsarpc,srvsvc,winreg) src_user!=*$ | stats count by src_user,src_ip,RelativeTargetName,host_fqdn | stats list(RelativeTargetName) by src_ip, src_user,host_fqdn Table: So in only want to see the events that match all 4 RelativeTargetNames not the one that matches only one.   Any help would be appreciated
OK the method works with some data as shown by this runanywhere example based on your sample data: | makeresults format=json data="[{ \"key1\": { \"field1\": \"x\" }, \"key2\": {... See more...
OK the method works with some data as shown by this runanywhere example based on your sample data: | makeresults format=json data="[{ \"key1\": { \"field1\": \"x\" }, \"key2\": { \"field2\": \"xx\" }, \"key3\": { \"field3\": \"xxx\" } }]" | rename _raw as field | table field | eval Name_A=json_array_to_mv(json_keys(field)) | mvexpand Name_A | eval Name_B=json_array_to_mv(json_keys(json_extract(field,Name_A))) This would seem to suggest that it is something to do with your actual data, which you have hidden. Please provide some anonymised representative samples so we can progress the solution.
| search user_name=$user_name$ dest=$host_name$ process="$user_command$" NOT process IN ($exclude_command$) Note that your user will have to enter the terms as quoted strings delimited by commas e.g... See more...
| search user_name=$user_name$ dest=$host_name$ process="$user_command$" NOT process IN ($exclude_command$) Note that your user will have to enter the terms as quoted strings delimited by commas e.g. "commandA","commandB"
Thanks, I can get the Name_A, but Name_B is null...  
Without the WILDCARD match type the lookup won't work of course. My test lookup contains just one column in which I have just one row so it's kinda trivial example but it works: EDIT: I'm not s... See more...
Without the WILDCARD match type the lookup won't work of course. My test lookup contains just one column in which I have just one row so it's kinda trivial example but it works: EDIT: I'm not sure if it will work if you call the lookup by the file name. It should work when you call it by lookup definition name.
Adding to @gcusello 's answer. A quote is not in itself a special character within a regex so within the regex itself it doesn't have to be escaped - on regex101 you could just do "error":\{"error... See more...
Adding to @gcusello 's answer. A quote is not in itself a special character within a regex so within the regex itself it doesn't have to be escaped - on regex101 you could just do "error":\{"errorCode":"(?<errorCode>[^"]+)" (In this case you could also get away with not escaping the opening brace but it doesn't hurt and prevents accidental not-escaping when needed). But as you're putting the regex in a string as part of the command - then you need to escape your quotes as part of the string so the strings are not interpreted as the end of string. That's why you end up with (notice double backslash before opening brace  - you also need to escape the backslash if you want it to be literally included in the string) "\"error\":\\{\"errorCode\":\"(?<errorCode>[^\"]+)\""  
@PickleRick  I have nothing created in the new field "match". I suspect this is because of the wildcard in the lookup field somehow. I tried to had a lookup definition on the domain.csv to have WIL... See more...
@PickleRick  I have nothing created in the new field "match". I suspect this is because of the wildcard in the lookup field somehow. I tried to had a lookup definition on the domain.csv to have WILDCARD(domain), no luck either
Don't mention
Dear Community, I integrate the FireEye NX with Splunk, but logs are not parsing as expected. I was searching for relevant add-ons and application for FireEye. I found below add-on and app, - h... See more...
Dear Community, I integrate the FireEye NX with Splunk, but logs are not parsing as expected. I was searching for relevant add-ons and application for FireEye. I found below add-on and app, - https://splunkbase.splunk.com/app/1904 (fireeye add on) - https://splunkbase.splunk.com/app/1845 (fireeye App). While i was going through the documentation of these add-on and app, i found it only support Splunk Enterprise platform not Cloud.  Is there any other application or add-on of same functionality on Splunk Cloud?
sorry for lack of information @ITWhisperer . Here's the full information for the dashboard:   <panel> <title>Logging Command History by User</title> <input type="text" token="drilldown_... See more...
sorry for lack of information @ITWhisperer . Here's the full information for the dashboard:   <panel> <title>Logging Command History by User</title> <input type="text" token="drilldown_command" searchWhenChanged="true"> <label>Find Command</label> <default>*</default> </input> <input type="text" token="exclude_command" searchWhenChanged="true"> <label>Exclude Command</label> <default>NULL</default> </input> <table> <search> <query>index=unix_os sourcetype="bash_history" | dedup timestamp | fields _time process, dest, user_name | search user_name=$user_name$ dest=$host_name$ process="$user_command$" NOT process="$exclude_command$" | table _time user_name process dest | rename dest as hostname, process as user_command | sort -_time</query> <earliest>$time_global.earliest$</earliest> <latest>$time_global.latest$</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">10</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">false</option> </table> </panel>  
Compatibility   This is compatibility for the latest version Splunk Enterprise, Splunk Cloud Platform Version: 9.2, 9.1, 9.0, 8.2 CIM Version: 5.x   Since this is a Splunk-supported app, if ... See more...
Compatibility   This is compatibility for the latest version Splunk Enterprise, Splunk Cloud Platform Version: 9.2, 9.1, 9.0, 8.2 CIM Version: 5.x   Since this is a Splunk-supported app, if this information is wrong, raise a case with support.