What exactly did you try with the eval command? How did the results not meet expectations? To properly assist with a regex-related question, we need to see some example (sanitized) data. Have you ...
See more...
What exactly did you try with the eval command? How did the results not meet expectations? To properly assist with a regex-related question, we need to see some example (sanitized) data. Have you confirmed the regular expression works on regex101.com? The "\\w+" constructs look like they should be something else (probably "\w+").
With a little massaging of fields, we can get you the desired output. | inputlookup external_url.csv
| lookup external_results.csv allowed_url as url OUTPUTNEW url as isFound
| eval fw_url=isFound, ...
See more...
With a little massaging of fields, we can get you the desired output. | inputlookup external_url.csv
| lookup external_results.csv allowed_url as url OUTPUTNEW url as isFound
| eval fw_url=isFound, isFound=if(isnull(isFound),"false", "true")
| table allowed_url fw_url isFound
index=gbts-vconnection * onEvent DISCONNECTED (host=Host1) | rex field=_raw "(?ms)^(?:[^:\\n]*:){5}(?P<IONS>[^;]+)(?:[^:\\n]*:){8}(?P<Device>[^;]+)(?:[^;\\n]*;){4}\\w+:(?P<VDI>\\w+)" offset_field=_e...
See more...
index=gbts-vconnection * onEvent DISCONNECTED (host=Host1) | rex field=_raw "(?ms)^(?:[^:\\n]*:){5}(?P<IONS>[^;]+)(?:[^:\\n]*:){8}(?P<Device>[^;]+)(?:[^;\\n]*;){4}\\w+:(?P<VDI>\\w+)" offset_field=_extracted_fields_bounds This lists all Devices that have disconnected. I'm trying to create a chart that lists only Macs, or Windows based on a key word like "mac" or "laptop" in the Device name. I tried using eval command but can't seem to get it working.
Use eventstats to compute the p95 value without losing the other fields. index=xyz status=complete
| eventstats p95(dur) as p95Dur
| where dur < p95Dur
The where command does not support the IN operator (which must be in upper case, BTW). You can use the in function with where or the IN operator with search. However, since the IN operator is conve...
See more...
The where command does not support the IN operator (which must be in upper case, BTW). You can use the in function with where or the IN operator with search. However, since the IN operator is converted to a series of ORs under the covers and the subsearch will return a series of ORs, I recommend not using IN. app=app1 | rex field=environment_url "https:\/\/(?<app_name>.*)\.foo\.com" | search [ search app=app2 | table app_name | format ]
I have two lookups. One consists of the allowed URLs. The other consists of the URLs from a firewall. For example in the first google.com
dummy.com In the second site1.google.com
site...
See more...
I have two lookups. One consists of the allowed URLs. The other consists of the URLs from a firewall. For example in the first google.com
dummy.com In the second site1.google.com
site2.google.com The first lookup is ingested from a file sent by the FW team. I create the second lookup with this search index=my_firewall sourcetype=my_sourcetype (rule=rule_1 OR rule=rule_2 OR rule=rule_3) [ | inputlookup external_url.csv ]
| fields url
| dedup url
| table url
| outputlookup external_results.csv This gives me the sites that have been reached over the time period. Next I use this search | inputlookup external_url.csv
| lookup external_results.csv url OUTPUTNEW url as isFound I think this is giving me what I want, but I can't view the output the way I want. I would like to see allowed_url fw_url isFound Using the sample data google.com site_1.google.com true
google.com site_2.google.com true
dummy.com false TIA, Joe
This is years later but I'm hoping someone will be able to answer and see this. What is the 1=1, "error" referring to? I understand that if 1=1, then that adds one to "error", but that's the extent o...
See more...
This is years later but I'm hoping someone will be able to answer and see this. What is the 1=1, "error" referring to? I understand that if 1=1, then that adds one to "error", but that's the extent of my understanding.
I need to identify the count of events that have a duration that is less than the p95 value. Sample search index=xyz status=complete | stats p95(dur) as p95Dur What can I add to the end of the s...
See more...
I need to identify the count of events that have a duration that is less than the p95 value. Sample search index=xyz status=complete | stats p95(dur) as p95Dur What can I add to the end of the search to id the number of events less than the p95Dur value?
Hi @jacu86 , there's only one attention point: the field used for the filtering must be the same in main and sub search: app=app1
| rex field=environment_url "https:\/\/(?<app_name>.*)\.foo\.com" ...
See more...
Hi @jacu86 , there's only one attention point: the field used for the filtering must be the same in main and sub search: app=app1
| rex field=environment_url "https:\/\/(?<app_name>.*)\.foo\.com"
| search [ search app=app2 | fields app_name ] if not, you have to rename it. One additional hint: use always the index= filter to have faster searches. Ciao. Giuseppe
I have data in two different applications. I need to get fields from one query to use as filters for another, like this: ``` app=app1 | rex field=environment_url "https:\/\/(?<app_name>.*)\.foo\....
See more...
I have data in two different applications. I need to get fields from one query to use as filters for another, like this: ``` app=app1 | rex field=environment_url "https:\/\/(?<app_name>.*)\.foo\.com" | where app_name in [ search app=app2 | table app_name ] ``` app2 has a field named app_name which I'm turning into a table. app1 doesn't have this field, but I'm creating and extracting it with a regex. I only want the app names from app1 if they exist in the table I'm creating from app2. This query isn't working for me, what can I do? Thank you for any help.
I have data in two different applications. I need to get fields from one query to use as filters for another, like this: app=app1 | rex field=environment_url "https:\/\/(?<app_name>.*)\.foo...
See more...
I have data in two different applications. I need to get fields from one query to use as filters for another, like this: app=app1 | rex field=environment_url "https:\/\/(?<app_name>.*)\.foo\.com" | where app_name in [ search app=app2 | table app_name ] app2 has a field named app_name which I'm turning into a table. app1 doesn't have this field, but I'm creating and extracting it with a regex. I only want the app names from app1 if they exist in the table I'm creating from app2. This query isn't working for me, what can I do? Thank you for any help.
When I look at the average and max size of the events, I see that the Max event size sometimes is exactly 300,000 bytes, which is suspicious. Please let me know did the event fields change ? if we re...
See more...
When I look at the average and max size of the events, I see that the Max event size sometimes is exactly 300,000 bytes, which is suspicious. Please let me know did the event fields change ? if we receiving 10 events in one chunk of 300,000 bytes ?
Hi @bora.min,
This issue deals with sensitive information. I'm going to send you a Private Message right now with some next steps. Please check your Inbox.
This probably should be a new question. The solution is to add a monitor stanza to an inputs.conf file in the UF. [monitor://C:\Program Files\Thycotic Software\log\xyz.log]
index = foo
sourcetype =...
See more...
This probably should be a new question. The solution is to add a monitor stanza to an inputs.conf file in the UF. [monitor://C:\Program Files\Thycotic Software\log\xyz.log]
index = foo
sourcetype = bar
Hi @richgalloway , How we can get logs stored on our Secret Server Distributed Engine servers. They already have the universal forwarder installed on them. We would like these logs to be available i...
See more...
Hi @richgalloway , How we can get logs stored on our Secret Server Distributed Engine servers. They already have the universal forwarder installed on them. We would like these logs to be available in Splunk as well. The logs are stored in the following location: C:\Program Files\Thycotic Software \log and the file is xyz.log. Thanks..