Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
02-09-2024
07:36 AM
1 Karma
Try index=foo | iplocation foo_src_ip | search NOT Country IN ("France", "United States")
02-09-2024
07:34 AM
So the data is duplicated in the raw event?
02-09-2024
07:34 AM
What is the most elegant way of searching for events where a field is not in a list of values? For example:
index=foo | iplocation foo_src_ip | search Country IN ("France", "United States")
wo...
See more...
What is the most elegant way of searching for events where a field is not in a list of values? For example:
index=foo | iplocation foo_src_ip | search Country IN ("France", "United States")
works great.
But what if I want all events where the IP was not from those countries (the inverse answer), like "Canada", "Mexico".
Thanks for any assistance.
Bob
- Tags:
- search in
02-09-2024
07:19 AM
@ITWhisperer in the events only 1 event getting, when you see in statistics getting same 2 values under destination in table.
02-09-2024
07:19 AM
How can we integrate Atlassian tools like Jira with Splunk. What are the technical details that we need to have in order to connect Jira with Splunk.
Labels
- Labels:
-
add-on
02-09-2024
07:17 AM
Yuanliu thank you very much for taking your time to write and help.
Below is my response
1. lets forget about outputlookup 2. original main (outer) search of network index is fast by itself give...
See more...
Yuanliu thank you very much for taking your time to write and help.
Below is my response
1. lets forget about outputlookup 2. original main (outer) search of network index is fast by itself given the code that includes bucket, eval and output in stats. So the delay is not here. 3. dashboard input is account_Name and source_network_address (but i can use tokens to pass network_address) 4. since we are no longer doing lookup table it's a moot point to answer subsequent bullet items. I'm Sorry.
Someone pointed out that its possible to reduce network output by passing parameter to the outer main search using "format" While that code drastically reduces returned set of data from network, query I now need to rethink how to move forward from produced output. I think it a step in a right direction. Let me show what was proposed:
Let me explain data structure a bit: snat and client is in a form IP:PORT So we need to match IP:PORT from network and ad indexes as well as time stamp that those events match on. output is just client_ip. i don't need to make any evaluations of count i just want to know how many client_IP we have of each
New proposed code is below. If you look at splunk logging its interesting to see how format appends to network search in form of (snat=ip1 OR snat=ip2 OR ....)
index=_network sourcetype=f5 irule=*
[| search index=_ad (EventCode=4625 OR (EventCode=4771 Failure_Code=0x18)) Account_Name=USER Source_Network_Address IN (IP1,IP2..)
| eval Source_Network_Address1 = case(EventCode==4771, trim(Client_Address, "::ffff:"))
| eval SourceIP = Source_Network_Address
| eval snat = SourceIP+":"+Source_Port
| fields snat | format ] ```passes formated string to main search for _network to find only those snats```
| table client snat _time
```| join type=inner snat _time
[ search index=_ad (EventCode=4625 OR (EventCode=4771 Failure_Code=0x18)) Account_Name=USER Source_Network_Address IN (IP1,IP2..)
| eval Source_Network_Address1 = case(EventCode==4771, trim(Client_Address, "::ffff:"))
| eval SourceIP = Source_Network_Address
| eval client = SourceIP+":"+Source_Port
| table snat_time]
| rex field=client "^(?<client_ip>.*?)\:(?<client_port>.*)"
| stats values(client_ip)```
02-09-2024
07:15 AM
1 Karma
Use the strftime() function
02-09-2024
07:13 AM
Not sure where the missing + is coming from but this shows you had two = in your search
02-09-2024
07:12 AM
Hi, I am very new to this environment and i was having a trouble in login as I have forgot the password and admin detail is there any way, I can reset it. thanks
- Tags:
- password reset
Labels
- Labels:
-
using Splunk Enterprise
02-09-2024
07:10 AM
Not sure where MQ events come into it. When you tried with sort and head 1, what did you get?
02-09-2024
07:09 AM
I see, there was missing "+" . but I got same empty results
02-09-2024
07:08 AM
As I said, you have two = in your regex, your event only has one
02-09-2024
07:05 AM
Try adding supports_rawargs = true Other than that, do you have any documentation for the mitrepurplelab custom command that would indicate what values should be there?
02-09-2024
07:04 AM
i tried this as well earlier, may be the issue with MQ events.
02-09-2024
07:03 AM
what is difference between my above query and the query your provided?, I did the same thing, right?
02-09-2024
06:58 AM
I've found a workaround in the meantime Since I know what I'm getting, I clean up the arguments before loading them into my python script
Sending Email as an action for an Alert and includes the result as table. _time field is one of the columns for this table and is showing this type of format "DDD MMM 24hh:mm:ss YYYY". Op...
See more...
Sending Email as an action for an Alert and includes the result as table. _time field is one of the columns for this table and is showing this type of format "DDD MMM 24hh:mm:ss YYYY". Opening the Alert in Search shows a different format. "YYYY-MM-DD 24hh:mm:ss.sss" Is there a way to format _time field in the email's inline table?
Labels
- Labels:
-
alert action
-
email
02-09-2024
06:40 AM
When I do that I have this again 2024-02-09 14:39:40,578 - DEBUG - Arguments reçus: ['/opt/splunk/etc/apps/Ta-Purplelab/bin/mitrepurplelab.py']
2024-02-09 14:39:40,578 - ERROR - Usage incorrect: ...
See more...
When I do that I have this again 2024-02-09 14:39:40,578 - DEBUG - Arguments reçus: ['/opt/splunk/etc/apps/Ta-Purplelab/bin/mitrepurplelab.py']
2024-02-09 14:39:40,578 - ERROR - Usage incorrect: python script.py <technique_id> [mitrepurplelab]
chunked = true
python.version = python3
filename = mitrepurplelab.py
02-09-2024
06:36 AM
1 Karma
You may need to go back to basics to get your time buckets it. Start with something like this index="cloudflare"
| bin _time span=10m
| stats count by _time ClientRequestHost ClientRequestPath
| eve...
See more...
You may need to go back to basics to get your time buckets it. Start with something like this index="cloudflare"
| bin _time span=10m
| stats count by _time ClientRequestHost ClientRequestPath
| eventstats sum(count) as total by _time ClientRequestHost
| eval percent = round(count / total,2)
| rename count as "Events", ClientRequestPath as "Path", percent as "%"
02-09-2024
06:29 AM
Try removing the extra stuff you put in and set chunked to true again
