Hi, I have a lookup definition that look like that: When I'm running this search with looking up in this lookup difinition, I'm getting the wider subnet.       index="FW" action=allowed src_ip=10.0.0.1 sourcetype=fw | lookup ipam subnet AS src_ip OUTPUT subnet AS "Source Subnet" | table src_ip "Source Subnet" dest_ip Service Protocol app Rule Device _time | sort 0 -_time       The ipam lookup contains amount of subnets that contatining each other (for example 10.0.0.0/16, 10.0.0.0/24). The results that I'm getting is for the wider subnet, in my example - 10.0.0.0/16. Is there a way to choose the smaller subnet that contains the src_ip? Thanks  

I want to write a rex to extract values in a field that are delimited by comma. index=group sourcetype="ext:user_accounts" | rex field=Ldap_group "[,\s]+(?<Ldap_group>[^,]+)" | stats values(Ldap_group) AS Ldap_group by elid, full_name The regex I wrote only gave me few values, not all of it. I wanted all values in Ldap_group  to be written separately in different rows . Requesting assistnce Field name: Ldap_group values:   MSV_EM_IMPKliAy_Standard_App,MSV_EM_IM_Federated,MSV_AAD_WkfKBarrier_Enabled,ADTestVrpVen5_23,V-IDaaS_ServiAeNKw_VKKd_Users,DTAA_ADT_AZAD_LIA_SKU_KffiAe365_Teams,MSV_EM_IM_PKKl02_Users,DTAA_EAK_HiplWkkSuppKrt_QA SPLVRP001-16,PRV_EAK_AS_SRV_HiplWkkSuppKrt_QA,ADTestVrpVen5_23 Wave_WkterAede MyID DesktKp DSK,AppliAatiKnSuppKrtEnVWkeer,KPS-VanBeurionEESSP-KF-3,VAAT-WARP ManaVementMKdule,DTAA_JPT_ITMP_SN_SVAKPS_IP_MAJKR_WkA_MANAVER,AharlKtteDiversityTeam-3,V-KPS-TEAHNKLKVY TMS SP-AN-4,DEM_WalkMe WalkMe ExtensiKn,EES1225AIBBldV31,DTAV_EAK_EAAK(),DTAA_APD_ATK_EANF_PRKD_users,DTAA_VP_EUA_HAPA_FR_PermDisable,ENT-TeAhnKlKVy-All-4,Wave_SimKn Tatham Putty x86,ETIFTE-1,DTAA_EIT_AAV_IdaaS_JPTLearner,DTAA_AFV_ITE_TEAH_PIBI_Users,APP_HitaAhi Vantara HAP Anywhere 4.5.0.4,Tera-Partners-24,APP_KraAle Java JDK 8uXXX -X86-,MSV_EM_IM_Federated,DTAA_EIT_EAAA_EAS_IDaaS_lKVWk,SP-PermissiKns-TimSlKanKrV-32,DTAA_EIT_TRIAV_Users,DP-TeAhnKlKVyVanBeurion-4,DTAA_NSK_IAS-SNVA_Default,MSV_EM_IM_VrKupAhat,AXAlients-32,V-SP_TEAH_FTE-3,APP_M365 KffiAe - MKnthly Enterprise Ahannel,V-AIA TEAM MEMBERS-2,DTAA_KRA_PRPX_BusKwnerEdit,DTAA_EIT_WWARP_View_AAAess,DTAA_AAK_ARS2S_JP_AKntraAt_ExAeptiKn,APP_SimKn Tatham PuTTY -X86-,V-KTV-TeAhnKlKVy-4,V-TIS-EPS-All-1,DTAA_AKK_TRIMS_VrKup_RelatiKnship_ManaVer_JPT,iPhKneUsers_VKKd_BYKD,APP_REALTEK USB VBE DRIVER 23.50.0211.2022,DTAA_AKK_TRIMS_VrKup_EnVaVement_ManaVer_JPT,DTAA_EIT_PMT_BPAN_IDaaS_ReadKnly,DKE-SP-TeAh_FTE-3,DTAA_AFV_EAPT_User,DTAS_NSK_IAS_ValidatiKnKnly1,NKtReVulatedUsersTKJKurnal-40,DTAA_AFV_EAPT_User_AKnfiiontial,MSVWk_AD_DEV_iKS_BYKD,DTAA_AFV_1WkV_AAAESS,APP_SynaptiAs DisplayLWkk VraphiAs 23.3.6400.0,ExAhanVeTeAhALT_AIA_FTE,DTAA_EIT_PSVHT_IdaaS_JPTLearner,Wave_MiArKsKft .NETDesktKpRuntime x64,PMSV-eaAKAKn-SendAs,DTAA_AFV_ADMF_TMDL_Kwner,DTAA_JPT_ITMP_SN_ITIL_USER_TEAHNKLKVY,DTAA_ADT_AZAD_LIA_SKU_KffiAe365_Teams,DTAA_TIV_Tab_ADMF_MAD_Wkt,1AAAAllUsers-31,MSV_AAD_WkfKBarrier_Enabled,DTAA_TIV_Tab_EAAK_EPPIA_Wkt,APP_WaaS_JP_Wksiders,Wave_ZKKm VideK AKmmuniAatiKns,AharlKtteDireAtKry-5,WAV_PRD_NP_1_TM_KX_Primary,MSVWk_ADT_AZAD_LIA_SKU_KffiAe365_Wktune,SredMyAppsMKbile,DTAA_TIV_Tab_ADMF_TMDL_Wkt,DTAA_AHS_PKrtal_IE_HKME,MSVTP_AallWkV_Private,PMSV-EAAKMessaVWkV-SendAs,DTAA_NSK_Wkternal_SKAial_AllKwed_Users,WkteVratedMarketWkVAllExAeptTellers-30,DTAA_AFV_MIM_TMIM_BUSWkESS_UNIT_KPERATKR,MSVTP_MessaVWkV_AhatKn,V-ETI TEAHNKLKVY FTE-3,Wave_VKKVle AhrKme,DTAA_VP_EUA_HAPA_FR_RemKval,DTAA_EIT_TRIAV_RepKrts,PMSV-eaAKAKn,SP_ALM_Read_AAAess_FWk_TeAh_DL-4,PriKrity_RemKte_AAAess_EAAK_Tier1,EITAll-4,APP_ZKKm ZKKm,MSVTP_MeetWkV_App_Aud_Vid_ExtAKnf,saEionTAKnneAt,Wave_AisAK Jabber,Wave_WkterAede MyID WWkdKws WkteVratiKn ServiAe,DTAA_ENT_HAPA_PKD0033,IMAKrpKrateAll-29,JP-TeAhnKlKVy-All-FTE-3,MSV_EM_IM_PKKl05_Users,V-SIFFERMAN FTE,EES1225AIBBldV3,MSV_EM_IMPKliAy_Standard_App_Aud_Vid_ReA_DialWk_ExtAKnf,DTAA_APD_ATK_EJRA_BSD_PRKD_JSW_users,LeVal_TeAhnKlKVy-4,Wave_KraAle Java JDK 8U x86,DEM_MiArKsKft EdVe WebView2 Runtime,DTAA_TKV_Pixel_Users,MSVTP_MeetWkV_App_Aud_Vid,VADI-RKKtTeamsPrKxyExAeptiKn,PilKt_MKbile_Users_Teams,DTAA_TIV_Tab_ADMF_DMI_BMD_Wkt,DTAA_WkD_1DIM_USER,SP-TS-All-32,AMTRADS-AllSaul-4,PMSV-EAAKMessaVWkV,Wave_WkterAede MyID Self-ServiAe App,RMSShare-45,DTAA_AFV_EAPT_VlKbalRead,APP_WktradK 911 LKAatiKn ManaVer 1.7.1,DTAA_TIV_Tab_EDQ_WkT

Hello again, my apologies for all of these questions. I have a lookup table called login_sessions.csv which will keep track of allowed login sessions. It has the following columns UID, sessionstart, and sessionend. I would like to add and remove entries to the lookup table depending on the value of a field called "action" in the events. If the value of action is "login" then I would like to add the userID, session_start, session_end fields from the event into the login_sessions.csv lookup, and if the value is "logoff" then I would like to remove the existing entry from the lookup. I was hoping I could use something like an if or case statement to do this, but I have only seen them used with eval and I haven't had much luck so far. E.G. if(action=="login", (inputlookup append=true login_sessions.csv | eval UID=userID, sessionstart=session_start, sessionend=session_end | outputlookup login_sessions.csv))   Is there a way to do this in a search? Thank you for any assistance.

I have a few files in which the log events happen to not be in chronological order. Specifically, an event with say, timestamp "2022-01-01 11:00:00" may occur towards the top of the log, while a different event (with a different event message) with the same timestamp may occur towards the bottom of the log. It is totally acceptable to have log events where the timestamps are exactly equal. What splunk is doing however, is merging all of these "distributed" events together into one single event. This should not happen. These are my config files:     props.conf [mySourceType] # example: 2022-07-01T23:53:54 2022-07-01T23:53:54 TIME_FORMAT = %Y-%m-%dT%H:%M:%S REPORT-default = sourcefields-default transforms.conf [sourcefields-default] SOURCE_KEY = source REGEX = /files/(.*?)/(.*?)/(.*?)/(.*?)\-(.*) FORMAT = field1::$1 field2::$2 field3::$3 field4::$4 field5::$5      

Hi, I have search which has S_host name values of different DB instances say MSSQL and Oracle in a single field. eg: S_Host Name has values such as 11xx 22xx 11yy 22yy And, I have the seperate lookups for both MSSQL & Oracle ie., lookup1 & lookup 2 lookup 1 contains   hostname supportgroup serviceoffering 11xx random support group1 random service offering1 22xx random support group2 random service offering2   lookup 2 contains   hostname serviceoffering supportgroup 11yy random service offering1 random support group1 22yy random service offering2 random support group2   My base search is   index=a sourcetype="a" "field_name"="random_value" | dedup "IP" | stats values("S_Host Name") as "S_Host Name" by "IP"   Now I have to join like this   index=a sourcetype="a" "field_name"="random_value" | dedup "IP" | stats values("S_Host Name") as "S_Host Name" by "IP" | join type=left "S_Host Name" ( [|inputlookup lookup 1 |fields hostname serviceoffering supportgroup | rename hostname as S_host Name] [|*inputlookup lookup 2 |fields hostname serviceoffering supportgroup | rename hostname as S_host Name])   But the above search is not working... Can someone help me with this?

I am looking at event data.  I can group the data by hour like this: index=wineventlog EventCode=4740 Caller_Computer_Name=SERVER14 Account_Locked_Out_Name=USER12 | TIMECHART SPAN=1h count BY Caller_Computer_Name but that gives me an hour for each day, so hundreds of rows. I want 24 rows.  i.e. I want all events that occur between Midnight and 1am, on any day, in the first row; and then all events between 1am and 2am, on any day, in the second row; and so on. I've