@mvasquez21 Yes, you can definitely display the months chronologically instead of alphabetically. To achieve this, you need to convert the month representation (e.g., "Jan 2024") into a sortable fo...
See more...
@mvasquez21 Yes, you can definitely display the months chronologically instead of alphabetically. To achieve this, you need to convert the month representation (e.g., "Jan 2024") into a sortable format, like a timestamp or a year-month string (e.g., "2024-01"). index = _audit user="*" action="login attempt" info=succeeded | eval _time=relative_time(now(), "-".(random()%180)."d") | eval month=strftime(_time, "%Y-%m-%d"), sort_month=strftime(_time, "%Y-%m-%d") | chart count over user by month | sort + sort_month
@mvasquez21 Don't append makeresults in your query:- Use this index = _audit user="*" action="login attempt" info=succeeded | eval _time=relative_time(now(), "-".(random()%180)."d") | eval mo...
See more...
@mvasquez21 Don't append makeresults in your query:- Use this index = _audit user="*" action="login attempt" info=succeeded | eval _time=relative_time(now(), "-".(random()%180)."d") | eval month=strftime(_time, "%b %Y") | chart count over user by month
when i try to append my search with it i get this error: Error in 'makeresults' command: This command must be the first command of a search. index = _audit user="*" action="login attempt" info=succe...
See more...
when i try to append my search with it i get this error: Error in 'makeresults' command: This command must be the first command of a search. index = _audit user="*" action="login attempt" info=succeeded | makeresults count=20 | eval _time=relative_time(now(), "-".(random()%180)."d") | eval user="user".tostring(1+random()%5) | eval action="login attempt", info="succeeded" | eval month=strftime(_time, "%b %Y") | chart count over user by month
@mvasquez21 You have to use this query: index = _audit user="*" action="login attempt" info=succeeded | eval _time=relative_time(now(), "-".(random()%180)."d") | eval month=strftime(_time, "%b ...
See more...
@mvasquez21 You have to use this query: index = _audit user="*" action="login attempt" info=succeeded | eval _time=relative_time(now(), "-".(random()%180)."d") | eval month=strftime(_time, "%b %Y") | chart count over user by month
@mvasquez21 makeresults is a command in Splunk that generates synthetic (fake) data for testing, debugging, and query development without using an actual index. You have to pass your original query...
See more...
@mvasquez21 makeresults is a command in Splunk that generates synthetic (fake) data for testing, debugging, and query development without using an actual index. You have to pass your original query.
when using this one: | makeresults count=20 | eval _time=relative_time(now(), "-".(random()%180)."d") | eval user="user".tostring(1+random()%5) | eval action="login attempt", info="succeeded" ...
See more...
when using this one: | makeresults count=20 | eval _time=relative_time(now(), "-".(random()%180)."d") | eval user="user".tostring(1+random()%5) | eval action="login attempt", info="succeeded" | eval month=strftime(_time, "%b %Y") | chart count over user by month my results don't show the username:
Hi, Quick sanity check: are you certain there's nothing being instrumented that uses an older version of .NET? The reason I ask is because the service name might be indicating .NET 6? The 1.9 instru...
See more...
Hi, Quick sanity check: are you certain there's nothing being instrumented that uses an older version of .NET? The reason I ask is because the service name might be indicating .NET 6? The 1.9 instrumentation won't work with .NET6 or .NET7--you'd have to try downgrading to 1.8. "OTEL_SERVICE_NAME": "MyDotNet6WebApi"
I have this search to see logins to our splunk environment: index = _audit user="*" action="login attempt" info=succeeded | stats count by user mgmt is asking to see the same data but instead of ...
See more...
I have this search to see logins to our splunk environment: index = _audit user="*" action="login attempt" info=succeeded | stats count by user mgmt is asking to see the same data but instead of a "count" column, they want a column for each month. I assume it will be a table of some sort but can't figure out the date summarizing. Here is an example of the individual entry: Audit:[timestamp=03-03-2025 09:10:52.577, user=xxxxxx, action=login attempt, info=succeeded reason=user-initiated useragent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36" clientip=xxx.xxx.xxx.x" method=LDAP" session=17a169464fada764a1bac7310cac4c47] columns should be: user monthA monthB monthc with the counts under each month Thanks!
Thanks for trying to help @PickleRick , this is of course the normal process that I have undertaken and iterated over to analyse. Understood on disabled, that is not the case in the TA's I am working...
See more...
Thanks for trying to help @PickleRick , this is of course the normal process that I have undertaken and iterated over to analyse. Understood on disabled, that is not the case in the TA's I am working to remove.