Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Search
Splunk Community
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Search
Search the Community
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
70,000 results
Sorted by:
04-11-2022
11:17 AM
...ogout_time field in raw data. Now, the requirement is to track all activities done by the user starting from login_time and ending with login_time + 8 hours. 1) How do i add t...
- Tags:
- splunk-search
- time
Show results in replies (6)
-
You could do | transaction user startswith=(login_time=* ) maxspan=8h This will group eve...
-
if i use | transaction user maxspan=8h , how can i tell Splunk where to start from...
-
...omething like this work to get me all the activities performed by the user in that interval&n...
-
...ocumentation/SCS/current/SearchReference/DateandTimeFunctions#relative_time.28.26.2360.3Btime.26.2362.3B.2C.26lt...
-
...hat simple. If you dom those evals you'll have the logout time in the login event. The search c...
-
...axspan time to make sure the first activities and last are no more than 8 hours apart. | t...
08-19-2021
01:16 AM
Hey. Im trying to create a search that lists users that have for example more than 90 days between the last 2 logons. I have tried getting the last log on time with this: index="index" s...
Labels
- Labels:
-
search job inspector
Show results in replies (7)
-
...ork. Which server do you put this collections.conf and transforms.conf on? Search head, indexer, o...
-
...ast login is. The last search determines “active” vs “inactive”, which I set to be 90 days—if y...
-
The last search just shows a list of users with a active/inactive field right? What i am l...
-
Okay cool thanks. I have added the collections.conf and transforms.conf to the searchhead. I...
-
@jwalthour Fixed the first search with a capital E in EventCode N...
-
Please let me know if this works for you. You'd run the first search ("index=windows ...") as a s...
-
...ike ‘| eval status=if(count>1, “active”,”inactive”)’ This, however, doesn’t completely address t...
03-23-2017
08:48 AM
1 Karma
...It works fine in the Windows infra app, nix app, etc., but not the "Search Activity" app. I get the error -
Search Factory: Unknown search command 'ldapsearch'
Permissions on the ldapsearch c...
01-04-2019
05:56 AM
When matching against threat intel the notable events only shows the source and destination of the matched event. Is there a way to make the correlation search only find specific events with a s...
02-10-2017
08:26 AM
1 Karma
...og events from one single domain controller to Splunk.
What would be a proper search string to use to find account logon/logoff activity for domain admins? Will I need to do a general search for a...
07-20-2020
12:21 PM
...can add inline to tell splunk I want the "original" event, and not results from my own search activity on the said event? I know I can use a NOT user=me, but that's super explicit and that c...
- Tags:
- _audit
03-18-2020
05:23 AM
I have to show active vpn users at any point of time for e.g. last 15 minutes, last one hour etc.. but these has to be shown based on the user login and logout status, as when I take more time span t...
Show results in replies (5)
-
my answer is for your question how to search for distinct count of active users based on ... N...
-
...ession_id | search NOT status="logout" | stats count
-
...serid status | where status="login" | eventstats count as active_user Splunk's default search i...
-
...tatus="logout","inactive",if(status="login","active","unknown")) | search NOT session="unknown" | e...
-
...serid | eval active=login_count-logout_count | table userid, login_count, logout_count, active A...
12-17-2019
11:04 AM
Hello everybody, (Sorry for my english) splunk version 7.0.0
I have two problems on my search
I am searching the activity of log in of three users last month, the problem here is when i w...
02-18-2015
07:49 AM
I need to be able to detect this pattern of events, in a series of events where the TERMINAL number is increasing by 1 and eventually has a status of 'S', in other words, I need to be detect the eve...
11-13-2019
10:39 AM
...arliest >= relative_time(now(), "-1d@d"), 30, 0)
I want to make sure I am checking the last 30 days of admin activity in the lookup against the 15m I just searched for. If nothing is found no alarm b...
