Hey all, I'm trying to separate out the IP address (Source Network Address:) from the Windows event Message field. I'm trying to find every instance of authentication for a certain user acct (including services & IIS app pools), but I'm having to parse it from the logs I'm getting from our Domain controllers. I'm pretty new to Splunk so my search is fairly basic. This is all I have so far, and I haven't been able to find info on whether that rex field should equal the new field I'm trying to create, or the field I'm searching, or what: index=* user=username EventCode=4740 OR EventCode=4648 OR EventCode=4672 OR EventCode=4624 | rex field=ServerIP "Source Network Address:(?<Message>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" So what I'm trying to do: Search Windows event log "Message" field > Find string "Source Network Address:ipaddress" Create new field with Value being above IP address   Appreciate any help!  

The calculation has to be made on Team Availability, taking a value of 96000 reduces the current Time Required  value and display in the next row in Team Availability, the recent Team Availability value must be taken for next subtraction with Time Required can be displayed  in the next row in Team Availability, so it continues for all Time Required valued. The last image is the expected one, Help me to rectify my doubt and share the query  

I am looking to run a search and filter out whitelisted exceptions in a lookup file.  2 of the fields could contain multiple values though. Here's the search I'm using:   index=microsoft365 sourcetype IN (azure:aad:signin, o365:management:activity) (action=success OR status=success) NOT Operation=UserLoginFailed | eval user_id=lower(user_id) | dedup src user_id date_month | iplocation src | search NOT Country IN ("United States", "Canada") | lookup local=t asn ip AS src | lookup nonUSlogins.csv ca.user_id AS user_id OUTPUT a.country a.ticket a.user_id | table user_id src date_month Country Region City asn autonomous_system a.user_id a.country     I tried using a match but found you can't use match if there are multiple values in a single field. Here is an example result currently: user_id src  date_month Country Region City asn autonomous_system a.user_id a.country user1 1.1.1.1 june Albania Tirana District Tirana     user1 user1 Albania Canada user1 2.2.2.2 june Germany Land Berlin Berlin     user1 user1 Albania Canada   I'm trying to eliminate results where the value for user_id matches a.user_id (values in this filed will be the same when there are multiple) AND the value of Country matches one of the countries listed in a.country   I would expect to see this in the end: user_id src  date_month Country Region City asn autonomous_system a.user_id a.country user1 2.2.2.2 june Germany Land Berlin Berlin     user1 user1 Albania Canada  

Hello, i´m looking to get this result between each start /end time. hope you could help me For example: Start time Endtime Su M Tu W Th F Sa 2021/07/01  2021/07/17 2 2 2 2 3 3 3 2021/07/05  2021/07/20 2 3 3 2 2 2 2   Thanks in advance

Hello * how can i overwrite the default eval definition for field app in props.conf? default/props.conf   ... EVAL-app = "Blue Coat ProxySG" ...   I try to overwrite this field with following in local/props.conf   ... FIELDALIAS-app = x_bluecoat_application_name as app ...   We use a distributed Environment so i changed this in SH and HF app. But no change to the results. What am i doing wrong?

Hi, I don't know if it is possible, but I would like to specify the time range of a join subsearch from a calculated value. I have a similar log record and query: Log record:   myField=abc, collectionTimeEpoch=1626358999, maxDurationInSeconds=10, items=[id=00000000-00000000-00000000-00000000#content=123,id=myId2#content=456]   The query is similar to the following:   index="..." sourcetype="..." myField=abc | sort -_time | head 1 | eval itemList=split(items,",") | mvexpand itemList | rex field=itemList "(?<id>[-\w\d]+)#content=(?<content>[-\w\d]+)" | eval start=(collectionTimeEpoch-maxDurationInSeconds) | join type=left id [search earliest=-2d@d index="..." sourcetype="..." someField=someValue ]   I would like to replace earliest=-2d@d  to something like earliest=start, but that is not working. I have also tried   | join type=left id [search earliest=[stats count | eval earliest=(collectionTimeEpoch-maxDurationInSeconds) |fields earliest ] index="..." sourcetype="..." someField=someValue ]   Could you help me with this? Thanks in advance

Hi, I noticed that the dashboard studio supports a customized text any where on the dashboard as showed below the "view all" .  However, if I choose to use dashboard studio, then I assume I lost capability to modify the simple XML code or use JS scripts on that dashboard. Is it possible to have such a drill-down text on the dashboard not using dashboard studio? Or if it's possible to modify the dashboard studio code to achieve more customized functionalities like those provided by XML?  Thank you!