Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
11-07-2023
01:41 PM
1 Karma
Again, without seeing sample data it's very difficult to determine why the search is not matching the data. Try using quotes in the eval command |eval DeviceType=case(Device="IPAD", "Macs", Device=...
See more...
Again, without seeing sample data it's very difficult to determine why the search is not matching the data. Try using quotes in the eval command |eval DeviceType=case(Device="IPAD", "Macs", Device="Laptop", "Windows") or use the match function to match an embedded string |eval DeviceType=case(match(Device, "IPAD"), "Macs", match(Device, "Laptop"), "Windows")
11-07-2023
01:40 PM
Thanks! I did that, but how do I make it use the new field as an identity? IE right now I have the "identity" field which is the samaccountname, and I also see it merged the email address into i...
See more...
Thanks! I did that, but how do I make it use the new field as an identity? IE right now I have the "identity" field which is the samaccountname, and I also see it merged the email address into it when looking at the identity center. However if I add another field (ie domain_identity) it won't use it for identity lookups as far as I can tell. What I did for now (which might be completely the wrong way to do it) is create another identity lookup with the exact same query as the first one (which gets all fields from active directory) but for "identity" I'm adding `domain\username`. That seems to do the trick since it merges identities based on email address (which matches). I'm sure I'm missing something very basic here though.
- Tags:
- Th
11-07-2023
01:22 PM
Hi I understand your approach. However, ES ECU correlations are proposed by Splunk TEAM itself and these, in turn, are verified. So for these to work, the level of detail configurations or active ru...
See more...
Hi I understand your approach. However, ES ECU correlations are proposed by Splunk TEAM itself and these, in turn, are verified. So for these to work, the level of detail configurations or active rules so that the logs are created correctly in OS are the ones that I do not know and I ask your advice.
11-07-2023
01:04 PM
Yes it absolutely has data. I already have a full dashboard with disconnect data based on (IONS) User IDs, and Device names. I am just stuck on this request to be able to filter the data by device ...
See more...
Yes it absolutely has data. I already have a full dashboard with disconnect data based on (IONS) User IDs, and Device names. I am just stuck on this request to be able to filter the data by device type using keywords. I don't think the eval command accepts wildcards like *mac* which I need. Some Device names are for example "John-mac" others are "laptop-Mary", etc. I can get data using the following: | stats count by "User ID" | sort -count but when I try using eval below it gives me nothing. I can confirm that there is a Device named IPAD, Perhaps I should use another command but I'm fairly new at this. Thank you! |eval DeviceType=case(Device=IPAD, "Macs", Device=Laptop, "Windows") |stats count by Device, DeviceType
11-07-2023
12:51 PM
I find doing eventstats on raw data to be tremendously slow. I'd probably compute the percentile in a subsearch and pass it through. Then you only do the percentile computation once. index=xyz s...
See more...
I find doing eventstats on raw data to be tremendously slow. I'd probably compute the percentile in a subsearch and pass it through. Then you only do the percentile computation once. index=xyz status=complete [ search index=xyz status=complete | stats p95(dur) as p95Dur | eval search = "dur>"+p95Dur | table search]
11-07-2023
12:49 PM
Probably the easiest way is just add a new fields into the end of your lookup file lines. That way it's easier to use those than use e.g. mvfields.
11-07-2023
12:21 PM
What exactly did you try with the eval command? How did the results not meet expectations? To properly assist with a regex-related question, we need to see some example (sanitized) data. Have you ...
See more...
What exactly did you try with the eval command? How did the results not meet expectations? To properly assist with a regex-related question, we need to see some example (sanitized) data. Have you confirmed the regular expression works on regex101.com? The "\\w+" constructs look like they should be something else (probably "\w+").
11-07-2023
12:01 PM
With a little massaging of fields, we can get you the desired output. | inputlookup external_url.csv
| lookup external_results.csv allowed_url as url OUTPUTNEW url as isFound
| eval fw_url=isFound, ...
See more...
With a little massaging of fields, we can get you the desired output. | inputlookup external_url.csv
| lookup external_results.csv allowed_url as url OUTPUTNEW url as isFound
| eval fw_url=isFound, isFound=if(isnull(isFound),"false", "true")
| table allowed_url fw_url isFound
11-07-2023
11:29 AM
index=gbts-vconnection * onEvent DISCONNECTED (host=Host1) | rex field=_raw "(?ms)^(?:[^:\\n]*:){5}(?P<IONS>[^;]+)(?:[^:\\n]*:){8}(?P<Device>[^;]+)(?:[^;\\n]*;){4}\\w+:(?P<VDI>\\w+)" offset_field=_e...
See more...
index=gbts-vconnection * onEvent DISCONNECTED (host=Host1) | rex field=_raw "(?ms)^(?:[^:\\n]*:){5}(?P<IONS>[^;]+)(?:[^:\\n]*:){8}(?P<Device>[^;]+)(?:[^;\\n]*;){4}\\w+:(?P<VDI>\\w+)" offset_field=_extracted_fields_bounds This lists all Devices that have disconnected. I'm trying to create a chart that lists only Macs, or Windows based on a key word like "mac" or "laptop" in the Device name. I tried using eval command but can't seem to get it working.
11-07-2023
11:19 AM
1 Karma
Use eventstats to compute the p95 value without losing the other fields. index=xyz status=complete
| eventstats p95(dur) as p95Dur
| where dur < p95Dur
11-07-2023
11:17 AM
The where command does not support the IN operator (which must be in upper case, BTW). You can use the in function with where or the IN operator with search. However, since the IN operator is conve...
See more...
The where command does not support the IN operator (which must be in upper case, BTW). You can use the in function with where or the IN operator with search. However, since the IN operator is converted to a series of ORs under the covers and the subsearch will return a series of ORs, I recommend not using IN. app=app1 | rex field=environment_url "https:\/\/(?<app_name>.*)\.foo\.com" | search [ search app=app2 | table app_name | format ]
11-07-2023
11:16 AM
Thank you , let me check and update you !
11-07-2023
11:14 AM
I have two lookups. One consists of the allowed URLs. The other consists of the URLs from a firewall. For example in the first google.com
dummy.com In the second site1.google.com
site...
See more...
I have two lookups. One consists of the allowed URLs. The other consists of the URLs from a firewall. For example in the first google.com
dummy.com In the second site1.google.com
site2.google.com The first lookup is ingested from a file sent by the FW team. I create the second lookup with this search index=my_firewall sourcetype=my_sourcetype (rule=rule_1 OR rule=rule_2 OR rule=rule_3) [ | inputlookup external_url.csv ]
| fields url
| dedup url
| table url
| outputlookup external_results.csv This gives me the sites that have been reached over the time period. Next I use this search | inputlookup external_url.csv
| lookup external_results.csv url OUTPUTNEW url as isFound I think this is giving me what I want, but I can't view the output the way I want. I would like to see allowed_url fw_url isFound Using the sample data google.com site_1.google.com true
google.com site_2.google.com true
dummy.com false TIA, Joe
- Tags:
- lookups
Labels
- Labels:
-
using Splunk Enterprise
11-07-2023
11:08 AM
It could be the events are being truncated. Check the TRUNCATE setting in the relevant props.conf stanza.
11-07-2023
11:01 AM
This is years later but I'm hoping someone will be able to answer and see this. What is the 1=1, "error" referring to? I understand that if 1=1, then that adds one to "error", but that's the extent o...
See more...
This is years later but I'm hoping someone will be able to answer and see this. What is the 1=1, "error" referring to? I understand that if 1=1, then that adds one to "error", but that's the extent of my understanding.
11-07-2023
11:01 AM
I need to identify the count of events that have a duration that is less than the p95 value. Sample search index=xyz status=complete | stats p95(dur) as p95Dur What can I add to the end of the s...
See more...
I need to identify the count of events that have a duration that is less than the p95 value. Sample search index=xyz status=complete | stats p95(dur) as p95Dur What can I add to the end of the search to id the number of events less than the p95Dur value?
Labels
- Labels:
-
stats
11-07-2023
10:51 AM
1 Karma
Hi @jacu86 , there's only one attention point: the field used for the filtering must be the same in main and sub search: app=app1
| rex field=environment_url "https:\/\/(?<app_name>.*)\.foo\.com" ...
See more...
Hi @jacu86 , there's only one attention point: the field used for the filtering must be the same in main and sub search: app=app1
| rex field=environment_url "https:\/\/(?<app_name>.*)\.foo\.com"
| search [ search app=app2 | fields app_name ] if not, you have to rename it. One additional hint: use always the index= filter to have faster searches. Ciao. Giuseppe
11-07-2023
10:44 AM
I have data in two different applications. I need to get fields from one query to use as filters for another, like this: ``` app=app1 | rex field=environment_url "https:\/\/(?<app_name>.*)\.foo\....
See more...
I have data in two different applications. I need to get fields from one query to use as filters for another, like this: ``` app=app1 | rex field=environment_url "https:\/\/(?<app_name>.*)\.foo\.com" | where app_name in [ search app=app2 | table app_name ] ``` app2 has a field named app_name which I'm turning into a table. app1 doesn't have this field, but I'm creating and extracting it with a regex. I only want the app names from app1 if they exist in the table I'm creating from app2. This query isn't working for me, what can I do? Thank you for any help.
11-07-2023
10:40 AM
I have data in two different applications. I need to get fields from one query to use as filters for another, like this: app=app1 | rex field=environment_url "https:\/\/(?<app_name>.*)\.foo...
See more...
I have data in two different applications. I need to get fields from one query to use as filters for another, like this: app=app1 | rex field=environment_url "https:\/\/(?<app_name>.*)\.foo\.com" | where app_name in [ search app=app2 | table app_name ] app2 has a field named app_name which I'm turning into a table. app1 doesn't have this field, but I'm creating and extracting it with a regex. I only want the app names from app1 if they exist in the table I'm creating from app2. This query isn't working for me, what can I do? Thank you for any help.
11-07-2023
10:39 AM
When I look at the average and max size of the events, I see that the Max event size sometimes is exactly 300,000 bytes, which is suspicious. Please let me know did the event fields change ? if we re...
See more...
When I look at the average and max size of the events, I see that the Max event size sometimes is exactly 300,000 bytes, which is suspicious. Please let me know did the event fields change ? if we receiving 10 events in one chunk of 300,000 bytes ?
