All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I notice, by testing, that Splunk CLI searches do not appear to be subject to Splunk's limits. This behavior is useful to us as I can use it to provide controlled exports. However I cannot see any ... See more...
I notice, by testing, that Splunk CLI searches do not appear to be subject to Splunk's limits. This behavior is useful to us as I can use it to provide controlled exports. However I cannot see any documentation that explains how/why CLI search bypasses limits in this way. Has anyone else noticed this? 
Hello, In one of out indexer we reached disk space in /var this is the path that takes all the space: opt/splunk/var/lib/splunk/prod/datamodel_summary   can i delete the files there ? how can i... See more...
Hello, In one of out indexer we reached disk space in /var this is the path that takes all the space: opt/splunk/var/lib/splunk/prod/datamodel_summary   can i delete the files there ? how can i avoid this messages ? if it is not possible to remove them, what will be the best step in order to fix this issue ? also, how is it possible that it happens only in one indexer while i have indexer cluster with 3 peers?  thanks sarit
I'm trying to make an Alert trigger when the same source IP is more than 40 times, across more than 40 destination IP within 5 minutes. I'm not so sure how to accomplish this...
Hi guys, I have a dashboard where a user inputs data using dropdowns and text inputs.  If he inputs all data and click on submit a hidden search (row) is executed which populates a lookup with valu... See more...
Hi guys, I have a dashboard where a user inputs data using dropdowns and text inputs.  If he inputs all data and click on submit a hidden search (row) is executed which populates a lookup with values of the tokens of the input fields. The next row displays a table with the lookup content. Additional to that there is a row with one dropdown to select a tool from a production machine. If this dropdown is used, a search is started which searches after produced pieces of this tool since the last entry of that tool in lookup above. If he clicks on the single value displayed from the search, the piece count is pasted into the matching field of the main inputs above.  This helps the user to get all data for the input into the lookup. Now the problem is, that dropdown for the tool selection has searchWhenChanged=true so the search for the piece count can start. But sometimes (not every time I think) it also starts the hidden search from above and sends data to the lookup although the submit button wasn't clicked. This results in unwanted data. What I tried is to unset all input tokens after the hidden search is done. This prevents it from sending data to the lookup without clicking submit because there are missing tokens for that search. But it deletes the input too just when selecting a tool.    In short: Is there a way to specify which search is executed by changing a input field / token and not just all searches? Thanks!   Here is the SimpleXML:     <form hideFilters="true" theme="dark"> <label>Edelhoff Werkzeug Wartungsboard</label> <init> <eval token="default_von">strftime(now(),"%d.%m.%Y")</eval> <eval token="default_bis">strftime(now(),"%d.%m.%Y")</eval> <set token="tok_trigger"></set> <set token="tok_trigger_date_update"></set> </init> <fieldset submitButton="true"> <input type="dropdown" token="tok_WN" searchWhenChanged="false"> <label>Auswahl Werkzeug</label> <fieldForLabel>Werkzeugname</fieldForLabel> <fieldForValue>Werkzeugnummer</fieldForValue> <search> <query>index=machinedata_w05_sum app=Presskraft_pro_Werkzeug_neu | dedup Werkzeugnummer | fields Werkzeugnummer | sort Werkzeugnummer | lookup Edelhoff_Werkzeugliste_TEST.csv Speichernummer as Werkzeugnummer OUTPUTNEW Werkzeugname | table Werkzeugnummer Werkzeugname</query> <earliest>0</earliest> <latest></latest> </search> </input> <input type="dropdown" token="tok_grund" searchWhenChanged="false"> <label>Ausfallgrund</label> <choice value="Gratbildung">Gratbildung</choice> <choice value="Massabweichung">Maßabweichung</choice> <choice value="sichtbarerSchaden">sichtbarer Schaden</choice> <choice value="Elektrik">Elektrik</choice> <choice value="Hydraulik">Hydraulik</choice> <choice value="StempelGebrochen">Stempel gebrochen</choice> </input> <input type="dropdown" token="tok_massnahme" searchWhenChanged="false"> <label>Instandsetzungsmaßnahme</label> <choice value="Nachschleifen">Nachschleifen</choice> <choice value="Stempel-/Matrizenwechsel">Stempel- /Matrizenwechsel</choice> <choice value="Federn">Federn</choice> <choice value="Führungen">Führungen</choice> </input> <input type="text" token="tok_end_rep" searchWhenChanged="false"> <label>gewartet zurück</label> <initialValue>$default_bis$</initialValue> <default>$default_bis$</default> </input> <input type="text" token="tok_stueckzahl" searchWhenChanged="false"> <label>Stückzahl</label> <default>-</default> <initialValue>-</initialValue> </input> <input type="text" token="tok_details" searchWhenChanged="false"> <label>Bemerkungen</label> <default>-</default> <initialValue>-</initialValue> </input> </fieldset> <row depends="$never_show_this_row$"> <panel> <table> <search> <done> <unset token="form.tok_WN"></unset> <unset token="form.tok_grund"></unset> <unset token="form.tok_massnahme"></unset> <unset token="form.tok_end_rep"></unset> <unset token="form.tok_stueckzahl"></unset> <unset token="form.tok_details"></unset> <eval token="default_von">strftime(now(),"%d.%m.%Y")</eval> <eval token="default_bis">strftime(now(),"%d.%m.%Y")</eval> <eval token="form.default_von">strftime(now(),"%d.%m.%Y")</eval> <eval token="form.default_bis">strftime(now(),"%d.%m.%Y")</eval> </done> <query>| makeresults | eval Werkzeug="$tok_WN$" | eval Wartungsgrund="$tok_grund$" | eval Wartungsmaßnahme="$tok_massnahme$" | eval rep_back="$tok_end_rep$" | eval Stueckzahl="$tok_stueckzahl$" | eval Bemerkungen="$tok_details$" | fields Auftrag Werkzeug Wartungsgrund Wartungsmaßnahme "zum WZB" rep_back Stueckzahl Bemerkungen | fields - _time | outputlookup append=t W05_PS_Edelhoff_Werkzeug_Wartung_TEST.csv</query> <earliest>0</earliest> <latest></latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> <panel> <table> <search> <done> <set token="tok_rep">$result.rep_back$</set> </done> <query>| inputlookup W05_PS_Edelhoff_Werkzeug_Wartung_TEST.csv | eval _time=strptime(rep_back,"%d.%m.%Y") | stats latest(rep_back) as timestamp by Maschine | eval header=rep_back | transpose 100 header_field=header | where Werkzeug=="$tok_WN$"</query> <earliest>0</earliest> <latest></latest> </search> <option name="count">5</option> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> <row> <panel> <title>Wartungshistorie</title> <table> <search> <done> <eval token="tok_trigger_date_update">now()</eval> </done> <query>| inputlookup append=t W05_PS_Edelhoff_Werkzeug_Wartung_TEST.csv | lookup Edelhoff_Werkzeugliste_TEST.csv Speichernummer as Werkzeug OUTPUTNEW Werkzeugname | eval _time=strptime(rep_back,"%d.%m.%Y") | rename rep_back as "repariert zurück" | sort - _time | fillnull value="-" | fields - _time | table "repariert zurück" Werkzeugname Werkzeug Wartungsgrund Wartungsmaßnahme Stueckzahl Bemerkungen | rename Werkzeug as Speicherplatznummer</query> <earliest>0</earliest> <latest></latest> <sampleRatio>1</sampleRatio> <refresh>15s</refresh> <refreshType>delay</refreshType> </search> <option name="count">10</option> <option name="dataOverlayMode">none</option> <option name="drilldown">cell</option> <option name="percentagesRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> <drilldown> <set token="tok_WN">$row.Speicherplatznummer$</set> <set token="tok_WN2">$row.Speicherplatznummer$</set> <set token="form.tok_WN">$row.Speicherplatznummer$</set> <set token="form.tok_WN2">$row.Speicherplatznummer$</set> </drilldown> </table> </panel> </row> <row> <panel> <title>Werkzeug Stückzahlen nach der letzten Wartung</title> <input type="dropdown" token="tok_WN2" searchWhenChanged="true"> <label>Auswahl Werkzeug</label> <fieldForLabel>Werkzeugname</fieldForLabel> <fieldForValue>Werkzeugnummer</fieldForValue> <search> <query>index=machinedata_w05_sum app=Presskraft_pro_Werkzeug_neu | dedup Werkzeugnummer | fields Werkzeugnummer | sort Werkzeugnummer | lookup Edelhoff_Werkzeugliste_TEST.csv Speichernummer as Werkzeugnummer OUTPUTNEW Werkzeugname | table Werkzeugnummer Werkzeugname</query> <earliest>0</earliest> <latest></latest> </search> </input> <single> <title>seit $tok_end_rep2$</title> <search> <done> <set token="tok_end_rep2">$result.back$</set> </done> <query>index=machinedata_w05 source=W05FBEdelhoffIV7460 Werkzeugnummer_1min OR name=Werkzeugnummer_10min OR name=NSW_Stempel_Winkel_Aktuell10ms earliest=@d latest=now | eval Nummer=case(name=="Werkzeugnummer_10min", value, Werkzeugnummer_1min!="", Werkzeugnummer_1min) | eval {name}=value | rename NSW_Stempel_Winkel_Aktuell10ms as Winkel | reverse | filldown Nummer | reverse | filldown Winkel | where Nummer=$tok_WN2$ | eval pressing = if((Winkel&gt;130 AND Winkel&lt;150), 1, 0) | fields pressing _time Kraft1 Nummer Hauptantrieb_Strom Hauptantrieb_Temperatur Hauptantrieb_Drehmoment Hubhoehe | filldown | autoregress pressing | eval pressingAction = if(pressing==1 AND pressing_p1==0, 2, 0) | reverse | stats c(eval(pressingAction==2)) as Stueckzahl | eval Stueckzahl = Stueckzahl + [ | search index=machinedata_w05_sum app=Presskraft_pro_Werkzeug_neu Werkzeugnummer=$tok_WN2$ [ | inputlookup W05_PS_Edelhoff_Werkzeug_Wartung_TEST.csv where Werkzeug=$tok_WN2$ | fields rep_back | eval rep_back=strptime(rep_back,"%d.%m.%Y") | sort - rep_back | head 1 | eval result="earliest=\"".rep_back."\"" | return $result ] latest=now | stats c as Stueckzahl | return $Stueckzahl ] | appendcols [ | inputlookup W05_PS_Edelhoff_Werkzeug_Wartung_TEST.csv where Werkzeug=$tok_WN2$ | fields rep_back | eval rep_back=strptime(rep_back,"%d.%m.%Y") | sort - rep_back | head 1 | eval result=strftime(rep_back, "%d.%m.%y") | return $result ] | rename search as back</query> <earliest>1566774000</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="colorBy">value</option> <option name="colorMode">none</option> <option name="drilldown">all</option> <option name="numberPrecision">0</option> <option name="rangeColors">["0x53a051", "0x0877a6", "0xf8be34", "0xf1813f", "0xdc4e41"]</option> <option name="rangeValues">[0,30,70,100]</option> <option name="refresh.display">progressbar</option> <option name="showSparkline">1</option> <option name="showTrendIndicator">1</option> <option name="trellis.enabled">0</option> <option name="trellis.scales.shared">1</option> <option name="trellis.size">medium</option> <option name="trendColorInterpretation">standard</option> <option name="trendDisplayMode">absolute</option> <option name="unitPosition">after</option> <option name="useColors">0</option> <option name="useThousandSeparators">1</option> <drilldown> <set token="form.tok_stueckzahl">$click.value$</set> <set token="tok_stueckzahl">$click.value$</set> </drilldown> </single> </panel> </row> <row> <panel> <title>Werkzeug Gesamtstückzahl</title> <input type="dropdown" token="tok_WN2" searchWhenChanged="false"> <label>Auswahl Werkzeug</label> <fieldForLabel>Werkzeugname</fieldForLabel> <fieldForValue>Werkzeugnummer</fieldForValue> <search> <query>index=machinedata_w05_sum app=Presskraft_pro_Werkzeug_neu | dedup Werkzeugnummer | fields Werkzeugnummer | sort Werkzeugnummer | lookup Edelhoff_Werkzeugliste_TEST.csv Speichernummer as Werkzeugnummer OUTPUTNEW Werkzeugname | table Werkzeugnummer Werkzeugname</query> <earliest>0</earliest> <latest></latest> </search> </input> <single> <search> <query>index=machinedata_w05_sum app=Presskraft_pro_Werkzeug_neu Werkzeugnummer=$tok_WN2$ | stats c as Stueckzahl | eval Stueckzahl = Stueckzahl + [ | search index=machinedata_w05 source=W05FBEdelhoffIV7460 Werkzeugnummer_1min OR name=Werkzeugnummer_10min OR name=NSW_Stempel_Winkel_Aktuell10ms earliest=@d latest=now | eval Nummer=case(name=="Werkzeugnummer_10min", value, Werkzeugnummer_1min!="", Werkzeugnummer_1min) | eval {name}=value | rename NSW_Stempel_Winkel_Aktuell10ms as Winkel | reverse | filldown Nummer | reverse | filldown Winkel | where Nummer=$tok_WN2$ | eval pressing = if((Winkel&gt;130 AND Winkel&lt;150), 1, 0) | fields pressing _time Kraft1 Nummer Hauptantrieb_Strom Hauptantrieb_Temperatur Hauptantrieb_Drehmoment Hubhoehe | filldown | autoregress pressing | eval pressingAction = if(pressing==1 AND pressing_p1==0, 2, 0) | reverse | stats c(eval(pressingAction==2)) as counter | return $counter ]</query> <earliest>1566774000</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="colorBy">value</option> <option name="colorMode">none</option> <option name="drilldown">none</option> <option name="numberPrecision">0</option> <option name="rangeColors">["0x53a051", "0x0877a6", "0xf8be34", "0xf1813f", "0xdc4e41"]</option> <option name="rangeValues">[0,30,70,100]</option> <option name="refresh.display">progressbar</option> <option name="showSparkline">1</option> <option name="showTrendIndicator">1</option> <option name="trellis.enabled">0</option> <option name="trellis.scales.shared">1</option> <option name="trellis.size">medium</option> <option name="trendColorInterpretation">standard</option> <option name="trendDisplayMode">absolute</option> <option name="unitPosition">after</option> <option name="useColors">0</option> <option name="useThousandSeparators">1</option> </single> </panel> </row> </form>        
Hello, I'm still very new to splunk and I could use some help. I hope this question is not too general. I would like to use something like "|eval" before "|mstats", where I have to use |mstats becau... See more...
Hello, I'm still very new to splunk and I could use some help. I hope this question is not too general. I would like to use something like "|eval" before "|mstats", where I have to use |mstats because I use metric names. So just using "|stats" is no option. So I want something like this: |eval = new_field_name=substr(some_field_name, 3, 2) |mstats max(some_metric_field) prestats=f chart=t chart.limit=200 WHERE index=some_index span=1h by new_field_name   But I get the error message: Error in 'mstats' command: This command must be the first command of a search. Another problem I have with metric data is that the following search gives me the results I want but is very slow. Any idea why or even better how to fix it? |mpreview index=some_index   |search non_metric_field!=0 |stats count by some_field_name
Why replication Factor is equal or greater than search factor?
Hey guys, Let's say I have an index called test.  I am only ingesting EVTX by modifying the inputs.conf    [monitor://D:\winevt\logs\*] index = test sourcetype = preprocess-winevt crcSalt = <SOUR... See more...
Hey guys, Let's say I have an index called test.  I am only ingesting EVTX by modifying the inputs.conf    [monitor://D:\winevt\logs\*] index = test sourcetype = preprocess-winevt crcSalt = <SOURCE>   Now there's an extra huge EVTX which is very slow to index and I want to just start afresh! What approach should I take?  I would like to -    splunk stop splunk clean eventdata splunk start   but would it: 1. Rest my inputs.conf? I guess no 2. If not, wouldn't it again start indexing from where I left off(given I have not changed the input and not touched the physical files)? This is what I'm seeing in my environment.  Thanks, Vikas        
How can I find out when who and what changes are made to below list in Splunk - Alerts/Saved Searches -Dashboards
I'd like to run an efficient search over an index to find all of the types of 'vendor_action' field present in the data. However, this is a very large dataset so is there a low resource search to do ... See more...
I'd like to run an efficient search over an index to find all of the types of 'vendor_action' field present in the data. However, this is a very large dataset so is there a low resource search to do this? 
Hello, Having defined multiple alerts before starting  to use Enterprise Security, is there a way to convert the existing alerts to correlation searches ? Instead of sending emails as action, they ... See more...
Hello, Having defined multiple alerts before starting  to use Enterprise Security, is there a way to convert the existing alerts to correlation searches ? Instead of sending emails as action, they will add some risk score, notable event etc How can I accomplish this without creating manually all the correlation searches from scratch. Thanks
Hello, I'm have a raw data that contain the following: ....OrgnlTxRef:"04172D1xxxx","TxSts":"ACSC","StsRsnInt":{.... I'm trying to take out only the ACSC as a "TxSts" field to search for the events... See more...
Hello, I'm have a raw data that contain the following: ....OrgnlTxRef:"04172D1xxxx","TxSts":"ACSC","StsRsnInt":{.... I'm trying to take out only the ACSC as a "TxSts" field to search for the events that don't contain it, but I can't figure it our for some reason. Can anybody help me?
Hi! I'm trying to find more information about the vendor_action field, however I've not managed to do so with much success. If anyone has any insight in terms of cyber value and mapping to use cases... See more...
Hi! I'm trying to find more information about the vendor_action field, however I've not managed to do so with much success. If anyone has any insight in terms of cyber value and mapping to use cases that would be really helpful. Does there exist a taxonomy for this field?
Hi Everyone, I have one requirement. I have below query: index=abc  ns=iop  app_name=api "Invoked:DOWNLOAD_S3" OR "Invoked:PULL_GRS_FILE_UPLOAD" OR "Invoked:UPLOAD_S3" OR "Invoked:DOWNLOAD_BACKEND... See more...
Hi Everyone, I have one requirement. I have below query: index=abc  ns=iop  app_name=api "Invoked:DOWNLOAD_S3" OR "Invoked:PULL_GRS_FILE_UPLOAD" OR "Invoked:UPLOAD_S3" OR "Invoked:DOWNLOAD_BACKEND_PUSH_TO_SF" OR "Invoked:LR_JSON" OR "Invoked:PULL_S3_UPLOAD" OR "Invoked:PUSH_S3_GRS_FILE_UPLOAD" | rex ":\s+(?<pattern>.*)$" | stats count BY pattern I want to hide Invoked: word means I dont want to show this Invoked: on UI dashboard. Can anyone g    
Hi, Im new to Splunk and my task is to built a Splunk Dashboard where i must have a dropdown and have 12 months listed in it and the dashboard must populate data only for the selected month. Can som... See more...
Hi, Im new to Splunk and my task is to built a Splunk Dashboard where i must have a dropdown and have 12 months listed in it and the dashboard must populate data only for the selected month. Can someone let me know the splunk query to build the same. Also how to set the field for value and field for label. My logs contains fields like  IssueCreated, Key,  Project Id, Project Name, IssueType, Status, Summary, Assigned to ,Assigned By Thanks    
Hi all, First of all, I realize this is achievable using Security Essentials, however we have a lot of manually created correlation searches and so need to add them manually - seems more work than... See more...
Hi all, First of all, I realize this is achievable using Security Essentials, however we have a lot of manually created correlation searches and so need to add them manually - seems more work than creating a new search such as this. I have two lookup tables; 'MitreFramework.csv' which is a copy-paste of the Mitre Att&ck Matrix from https://attack.mitre.org, and 'mitre_enrichment.csv' which simply contains the technique names and their mitre_ids (fields are named exactly like this.) I have also annotated all of our correlation searches with their respective Mitre technique ID into up to three columns, export of which in a search shown below. I'm trying to compare the Mitre Technique ID's as above with the mitre_id field in the mitre_enrichment.csv lookup, to then get the corresponding 'technique' name, and then search for that technique field in the 'Mitre Framework.csv' lookup. If it exists, something happens to a table of the Mitre Framework to indicate that is it being covered (even appending a number of 1 to the cell, or only showing the cells which are matched would be okay). I know... this is a bit complicated, I'm hoping someone with more experience can see the logic and assist. Search for simply exporting the Mitre framework and annotations from the correlation rules is below. 'CHR' is simply part of the naming convention we use for all our rules;   | inputlookup MitreFramework.csv | append [| rest splunk_server=local count=0 /services/saved/searches | where disabled!=1 | search action.correlationsearch.label="CHR*" | rex field="action.correlationsearch.annotations" "^.*attack\":\[\"(?<Mitre1>T\d+)\"]?" | rex field="action.correlationsearch.annotations" "^.*attack\":\[\"T\d+\",\"(?<Mitre2>T\d+)\"" | rex field="action.correlationsearch.annotations" "^.*attack\":\[\"T\d+\",\"T\d+\",\"(?<Mitre3>T\d+?)\"" | table action.correlationsearch.label Mitre1 Mitre2 Mitre3 | rename action.correlationsearch.label as "Rule Name" Mitre1 as "Mitre Technique 1" Mitre2 as "Mitre Technique 2" Mitre3 as "Mitre Technique 3"]    
Hi, So where is the documentation for this app? https://splunkbase.splunk.com/app/5399/ The overview comes up with many empty items, there is no required configuration step, so I wonder how useful... See more...
Hi, So where is the documentation for this app? https://splunkbase.splunk.com/app/5399/ The overview comes up with many empty items, there is no required configuration step, so I wonder how useful/reliable this is. thx afx
Hi, I have the following problem with rising input creation. If I try to add the following query as a rising input, I receive an error: SELECT * FROM DIARY WHERE DIARY_DATE > ? AND TABLE_ID = 3 ... See more...
Hi, I have the following problem with rising input creation. If I try to add the following query as a rising input, I receive an error: SELECT * FROM DIARY WHERE DIARY_DATE > ? AND TABLE_ID = 3 ORDER BY DIARY_DATE ASC But the following query works: SELECT * FROM DIARY WHERE DIARY_DATE > ? ORDER BY DIARY_DATE ASC "Step 4" fails when I click "next" on the "New input" screen, however the query runs fine. According to the documentationit is permitted to use complex WHERE clauses: "Use other advanced SQL features in the WHERE clause—for example a CASE statement." Do you have any idea what went wrong here?   Thanks, László    
hi why my where condition doesnt works please?   `boot` | fields host Name Path DegradationTime | stats max(DegradationTime) as DegradationTime by Path | where DegradationTime>1 | eval "Degrada... See more...
hi why my where condition doesnt works please?   `boot` | fields host Name Path DegradationTime | stats max(DegradationTime) as DegradationTime by Path | where DegradationTime>1 | eval "DegradationTime" = round(('DegradationTime' / 1000),0)  
Greeting, I am planning to setup the infrastructure monitoring app using Splunk to monitor the infrastructure's resources(memory utilization, CPU, etc.).  My objective is to monitor all equipment w... See more...
Greeting, I am planning to setup the infrastructure monitoring app using Splunk to monitor the infrastructure's resources(memory utilization, CPU, etc.).  My objective is to monitor all equipment which include (windows servers and clients, network switches and firewall). I am using Arcsight connectors to collect syslog logs and forward them to my Splunk enterprise. I need your advise on the following questions: 1- Which Splunk's app is recommended to achieve this goal? 2- Is it possible to utilize the current setup mentioned above to collect the required logs for infrastructure monitoring app? 3- Can you provide the installation guide to perform this solution? Your support is highly appreciated. Best regards
Hi Community, I'm new to this world. I saw some very helpful people helping out new starters so I gathered courage to ask a question.  https://opstune.com/2020/07/01/spl-nuggets-visualizing-rdp-ts-... See more...
Hi Community, I'm new to this world. I saw some very helpful people helping out new starters so I gathered courage to ask a question.  https://opstune.com/2020/07/01/spl-nuggets-visualizing-rdp-ts-connections-from-eventlogs/ I was hoping to modify the query to give me a nice visualization of RDP Activity focusing only on the 1149 Events.        index="xxxx" LogName="Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational" EventCode=1149| eval time=strftime(_time,"%Y-%m-%dT%H:%M:%SZ") | rex field=_raw ".*User:\s+(?<User>.*)\r\n" | rex field=_raw ".*Domain:\s+(?<Domain>.*)\r\n" | rex field=_raw ".*Network\sAddress:\s+(?<IP>.*)" | table host, time, User, Domain, IP       This gives me a very pretty tabular format of RDP attempts (not confirmed successful logins at times, but will do)  How could I possibly edit the query in Github to cater to my needs?  Apart from this, is there a way we can visualize (4624?) or Lateral Movement in the form of a picture/timeline using Splunk? Thank you, Vikas