All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

@gcusello  For all the results i am getting period_count=1.  Whereas only a few IP are used my user="*@xyz.com*" in the last 30 days. I want to particularly filter if, the IPs were used by user="*... See more...
@gcusello  For all the results i am getting period_count=1.  Whereas only a few IP are used my user="*@xyz.com*" in the last 30 days. I want to particularly filter if, the IPs were used by user="*@xyz.com*".  
This did it. Thank you for all your help @Anonymous !!
The first dc() needs  eval() as the main function. index=<index1> src_ip IN (<srcvalues>) AND dest_ip!=<ipvalues> NOT dest_location IN ("<locvalues>") earliest=-24h latest=now() | stats dc(eval(if(_... See more...
The first dc() needs  eval() as the main function. index=<index1> src_ip IN (<srcvalues>) AND dest_ip!=<ipvalues> NOT dest_location IN ("<locvalues>") earliest=-24h latest=now() | stats dc(eval(if(_time < relative_time(now(), "-1h"), dest_location. "-" .dest_ip, null())) as oldconnections dc(eval(dest_location. "-" .dest_ip)) as allconnections by src_ip  For some reason Splunk doesn't print warning about such, perhaps assuming that all terms are strings unless it begins with eval.
For efficiency reasons, WILDCARD(searched_for) only supports wildcard after some initial fixed characters, like splunk*, spl*nk, etc.  If you have a table  keyword classification splunk* tes... See more...
For efficiency reasons, WILDCARD(searched_for) only supports wildcard after some initial fixed characters, like splunk*, spl*nk, etc.  If you have a table  keyword classification splunk* test classification spl*nk test classification 2 with WILDCARD(keyword) in lookup definition and test the following keyword splunk splonk splunky splash wonk splunkie splunked splonking You'll get these: searched_for classification splunk test classification test classification 2 splonk test classification 2 splunky test classification splash wonk test classification 2 splunkie test classification splunked test classification splonking   Here is the emulation for the above   | makeresults | eval searched_for = mvappend("splunk", "splonk", "splunky", "splash wonk", "splunkie", "splunked", "splonking") | mvexpand searched_for | lookup keywords.csv keyword AS searched_for OUTPUT classification | table searched_for classification   Hope this helps.
Thank you this worked and did what I needed
Try this transform [extract_host] REGEX = Host:\s\w+\d+\s+(\w+) FORMAT = newhostname::$1  
Hi! We are facing the same issue, both on versions 8.2.9 and version 8.2.12. We did not find a solution yet, but raised a support ticket.
Hi everyone,    I've seen a few posts on here and elsewhere that seem to detail the same issue I'm having, but none of the solutions do the trick for me. Any help is appreciated.  The goal is t... See more...
Hi everyone,    I've seen a few posts on here and elsewhere that seem to detail the same issue I'm having, but none of the solutions do the trick for me. Any help is appreciated.  The goal is to flag users whose search engine queries (fieldname searched_for) contain words stored in a lookup table. Because those words could occur anywhere in the search query, wildcard matching is needed.   I have a lookup table called keywords.csv. It contains two columns:  keyword,classification splunk,test classification   The first use of the lookup works as it should, showing only events with keyword match anywhere in searched_for:       | search [| inputlookup keywords.csv | eval searched_for="*".keyword."*" | fields searched_for | format]         Next step is enrich the remaining events with the classification, and then filter out all events without a classification as such:       | lookup keywords.csv keyword AS searched_for OUTPUT classification | search classification=*         The problem is the above SPL only enriches events in which the keyword exactly matches searched_for. If I search in Google for "splunk", the events are enriched; If I search for "word splunk word", the event is not enriched. Is there a way around this without using | lookup? Or am I doing something wrong here? I'm out of ideas. I've tried: Prepending and appending * to the keyword in the lookup table (*splunk*) Adding lookup definition with matchtype WILDCARD(searched_for) Thought maybe the issue is due to searched_for being an evaluated field, so I changed the matchtype and SPL to the field "url". It is coming straight from the logs and contains the search query string. Still get no enrichment. Deleted and re-created the lookup, definition, and matchtype.
I will give this a shot to see what I get. thx
I tried the the following and all values for oldconnection field are coming up as 0, which I'm assuming is due to the if statement returning null for each event.  index=<index1> src_ip IN (<srcv... See more...
I tried the the following and all values for oldconnection field are coming up as 0, which I'm assuming is due to the if statement returning null for each event.  index=<index1> src_ip IN (<srcvalues>) AND dest_ip!=<ipvalues> NOT dest_location IN ("<locvalues>") earliest=-24h latest=now() | stats dc(if(_time < relative_time(now(), "-1h"), eval(dest_location. "-" .dest_ip), null())) as oldconnections dc(eval(dest_location. "-" .dest_ip)) as allconnections by src_ip  
Hi @Giridhar.Nadipally, Looks like we have some content in the Knowledge Base that might help. Please check them out -- https://community.appdynamics.com/t5/forums/searchpage/tab/message?filter=loc... See more...
Hi @Giridhar.Nadipally, Looks like we have some content in the Knowledge Base that might help. Please check them out -- https://community.appdynamics.com/t5/forums/searchpage/tab/message?filter=location&q=%22ABAP%22&noSynonym=false&inactive=false&location=category:Resources&collapse_discussion=true Also check out AppD Docs 
Hi @Jeffrey.Leedy, I see you created a ticket, can you please share the learnings here as a reply, thanks!
Hi @AL3Z , please try: Blacklist1= message="C:\\Program Files\\Windows Defender Advanced Threat Protection\\(MsSense|SenseCM|SenseIR)\.exe" or Blacklist1 = C:\\Program\sFiles\\Windows\sDefender\s... See more...
Hi @AL3Z , please try: Blacklist1= message="C:\\Program Files\\Windows Defender Advanced Threat Protection\\(MsSense|SenseCM|SenseIR)\.exe" or Blacklist1 = C:\\Program\sFiles\\Windows\sDefender\sAdvanced\sThreat\sProtection\\(MsSense|SenseCM|SenseIR)\.exe Ciao. Giuseppe
Do we need to put this inside double quotes? Blacklist1= message="C:\\Program Files\\Windows Defender Advanced Threat Protection\\(MsSense|SenseCM|SenseIR)\.exe"  
Hello, I need help to filter fields of an event and in this way reduce the size of the log before indexing it in splunk, I was reviewing the documentation and using ingest actions it is possible to... See more...
Hello, I need help to filter fields of an event and in this way reduce the size of the log before indexing it in splunk, I was reviewing the documentation and using ingest actions it is possible to exclude events based on regular expressions, however I do not need to exclude events if not specific fields
Hi @alexspunkshell, if period_count=1 means that the event is present only before last 24 hours or inside last 24 hours, but not in both the periods. Ciao. Giuseppe
Hi @AL3Z, please try this regex: C:\\Program Files\\Windows Defender Advanced Threat Protection\\(MsSense|SenseCM|SenseIR)\.exe if it doesn't run , please try: C:\\\Program Files\\\Windows Defend... See more...
Hi @AL3Z, please try this regex: C:\\Program Files\\Windows Defender Advanced Threat Protection\\(MsSense|SenseCM|SenseIR)\.exe if it doesn't run , please try: C:\\\Program Files\\\Windows Defender Advanced Threat Protection\\\(MsSense|SenseCM|SenseIR)\.exe Something there's an issue with backslashes. Ciao. Giuseppe
@gcusello Thanks for your help.   I tried all the changes in the SPL too. However, period_count is showing 1. Hence i am unable to filter in results.
Hello, I think my original question was not clear. My apology. my search with regex below works for both ipv4 and ipv6 and it's faster than 3rd party ipv6compress function my original question: ... See more...
Hello, I think my original question was not clear. My apology. my search with regex below works for both ipv4 and ipv6 and it's faster than 3rd party ipv6compress function my original question:  is it possible only to bypass regex statement for ipv4 (only use regex for ipv6)? I was able to use drilldown condition in XML source as a workaround, but it made the code complex and it's not transferrable to Dashboard Studio. Thank you for your help. Search  | index=vulnerability_index | rex mode=sed field=ip "s/<regex>/<replacement>/<flags>" | search ip="$ip_token$"
Thanks @bowesmana for the solution, it worked like a charm !!!!