All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hello, First, I am aware that there are multiple posts regarding my question, but I can't seem to use them in my scenario. Please see an example below. There are two fields, location and name. I ne... See more...
Hello, First, I am aware that there are multiple posts regarding my question, but I can't seem to use them in my scenario. Please see an example below. There are two fields, location and name. I need to filter out name that contain  "2" and stats count name based on location.  I came up with this search, but the problem is it did not include location A (because the count is zero) Please suggest. I appreciate your help.  Thanks | makeresults format=csv data="location, name location A, name A2 location B, name B1 location B, name B2 location C, name C1 location C, name C2 location C, name C3" | search name != "*2*" | stats count by location Data location name location A name A2 location B name B1 location B name B2 location C name C1 location C name C2 location C name C3   Expected output: location count(name) location A 0 location B 1 location C 2
@navan1  You should include a space before AS. Please refer to this query as an example. index=test earliest=-365d latest=now | eval Month=strftime(_time, "%Y-%m") | stats dc(eval (action="succe... See more...
@navan1  You should include a space before AS. Please refer to this query as an example. index=test earliest=-365d latest=now | eval Month=strftime(_time, "%Y-%m") | stats dc(eval (action="success")) AS Success_Users dc( eval(action="failure")) AS Failure_Users BY Month | sort Month I hope this helps, if any reply helps you, you could add your upvote/karma points to that reply, thanks. Please, don't forget to accept this solution if it fits your needs.
Hello Kiran,   I am getting below error,    
@dwangfeng  index="yourindex" sourcetype="yoursourcetype" | rex mode=sed "s/<password>[^<]+<\/password>/<password>xxxxxxxxxxxx<\/password>/g" I hope this helps, if any reply helps you, you could a... See more...
@dwangfeng  index="yourindex" sourcetype="yoursourcetype" | rex mode=sed "s/<password>[^<]+<\/password>/<password>xxxxxxxxxxxx<\/password>/g" I hope this helps, if any reply helps you, you could add your upvote/karma points to that reply, thanks. Please, don't forget to accept this solution if it fits your needs.
@dwangfeng Can you try this    I hope this helps, if any reply helps you, you could add your upvote/karma points to that reply, thanks. Please, don't forget to accept this solution if it fits ... See more...
@dwangfeng Can you try this    I hope this helps, if any reply helps you, you could add your upvote/karma points to that reply, thanks. Please, don't forget to accept this solution if it fits your needs.
@navan1 If you want to check from past one year, you can try this.  I hope this helps, if any reply helps you, you could add your upvote/karma points to that reply, thanks. Please, don't forg... See more...
@navan1 If you want to check from past one year, you can try this.  I hope this helps, if any reply helps you, you could add your upvote/karma points to that reply, thanks. Please, don't forget to accept this solution if it fits your needs.
Hello Kiran,  Here the action has two fields, Success and failure, I need to list success and failure user by month for past one year.
@navan1  Try like this. I don't have action=success and action=failure events so i just gave randomly. Please modify your query as per your requirement.  I hope this helps, if any reply helps y... See more...
@navan1  Try like this. I don't have action=success and action=failure events so i just gave randomly. Please modify your query as per your requirement.  I hope this helps, if any reply helps you, you could add your upvote/karma points to that reply, thanks.  
@shenoyveer You can use trellis, split by host.  I hope this helps, if any reply helps you, you could add your upvote/karma points to that reply, thanks.  
@shenoyveer  Can you check this?  The x-axis will be the first column/field in the results, so put the date as the first field after the by.        
is there any alternative to timechart?   I want to have particular date in x axis
Hello Team,    How to search specific app user successful and failure events by month for Jan to Dec? Base search,   index=my_index app=a | table app action user |eval Month=strftime(_tim... See more...
Hello Team,    How to search specific app user successful and failure events by month for Jan to Dec? Base search,   index=my_index app=a | table app action user |eval Month=strftime(_time,"%m") |stats count by user Month I am not getting any result by above search.    
@shenoyveer  If you take out the eval from the query, you must also remove the date field from it. index="vm-details" | timechart count by host
Recently our splunk security alert integration has stopped working last month (December) where we'd send an alert automatically from splunk cloud to our onmicrosoft.com@amer.teams.ms e-mail. Is th... See more...
Recently our splunk security alert integration has stopped working last month (December) where we'd send an alert automatically from splunk cloud to our onmicrosoft.com@amer.teams.ms e-mail. Is the support of this being deprecated on the Microsoft side? Or is this a whitelisting issue? Anyone else experience a similar problem?
Thank you @ITWhisperer  In my laymans terms use eventstats search to find max(triggeredEventNumber) BY userName. Next use where to select only that max(triggeredEventNumber) for results. Then I use... See more...
Thank you @ITWhisperer  In my laymans terms use eventstats search to find max(triggeredEventNumber) BY userName. Next use where to select only that max(triggeredEventNumber) for results. Then I used stats values(field) to extract the values for the fields I am interested in.
Tried with another query too index="testing" | eval date=strftime(_time, "%Y-%m-%d") | stats count by date, host but still its not showing hostname in dashboard    
Thanks @gcusello for your response and guidance.  I tried your query and it's giving me results, however it's only populating 5 fields which are ones that are common to both indices.   How do you ... See more...
Thanks @gcusello for your response and guidance.  I tried your query and it's giving me results, however it's only populating 5 fields which are ones that are common to both indices.   How do you suggest I modify the query so the output also displays all the following fields that are under index="*firewall*"?     src_zone, src_ip, dest_zone, dest_ip, server_name, transport, dest_port, app, rule, action, session_end_reason, packets_out, packets_in, src_translated_ip, dvc_name         My intent is to display the data in the following order (that includes fields from both indices) if possible - ***specific fields from index=corelight are in bold for reference src_zone AS From, src_ip AS Source, dest_zone AS To, dest_ip AS Destination, server_name AS SNI, transport AS Protocol, dest_port AS Port, app AS "Application", rule AS "Rule", action AS "Action", session_end_reason AS "End Reason", packets_out AS "Packets Out", packets_in AS "Packets In", src_translated_ip AS "Egress IP", dvc_name AS "DC", ssl_version AS Version, ssl_cipher AS ENCRPT_ALGO   Thanks!
Hi Kiran,   Thanks for the prompt reply. Its not working for me and after removing eval no data popping up.  my goad is to get the hostname while hovering the host_count variable from query
Here is my raw data in the splunk query <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"> <s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/20... See more...
Here is my raw data in the splunk query <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"> <s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <application xmlns="http://www.abc.com/services/listService"> <header> <user>def@ghi.com</user> <password>al3yu2430nald</password>   If I want to mask the password value and show in the splunk output as: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"> <s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <application xmlns="http://www.abc.com/services/listService"> <header> <user>def@ghi.com</user> <password>xxxxxxxxxxxx</password> How can I do that?
Hi @sdcig , as you experienced, don't use join because it's very slow! use the OR conditions correlated using stats, something like this to adapt to your requirements: (index=*corelight* sourcetyp... See more...
Hi @sdcig , as you experienced, don't use join because it's very slow! use the OR conditions correlated using stats, something like this to adapt to your requirements: (index=*corelight* sourcetype=*corelight* server_name=*microsoft.com*) OR (index="*firewall*" sourcetype=*traffic* src_ip=10.1.1.100) | dedup src_ip, dest_ip | fields src_zone, src_ip, dest_zone, dest_ip, server_name, transport, dest_port, app, rule, action, session_end_reason, packets_out, packets_in, src_translated_ip, dvc_name | stats values(*) AS * BY dest_ip | rename src_zone AS From, src_ip AS Source, dest_zone AS To, dest_ip AS Destination, server_name AS SNI, transport AS Protocol, dest_port AS Port, app AS "Application", rule AS "Rule", action AS "Action", session_end_reason AS "End Reason", packets_out AS "Packets Out", packets_in AS "Packets In", src_translated_ip AS "Egress IP", dvc_name AS "DC" If possible, try to avoid to use asterisk at the beginning of a string (as in your case in index, sourcetype and host). Ciao. Giuseppe