base query | regex field= "XXX*(?.*)" | stats count by regular_expression_value
this query displaying 5 lines but want only the first lines
how to get using abstract maxlines=1
I've developed an app that contains dashboards.
For now, I have deliberately not limited the searches to specific indexes. Two reasons (but not the only reasons):
I developed the app in Splun...
Hi , Could you please help me to use of abstract command for below event.What would be output for below command if used abstract command.Thanks
3/3/18
8:29:19.637 AM
03-03-2018 08:29:19.637...
How can I use abstract command? My query is | makeresults | eval test = " 123456789 123 456" | abstract maxlines=1 This query shoud be "test = 123456789" I think.. But whole c...
...rror codes, Business Error Codes and SLA for example. We are having trouble getting this schema to work using an abstract CSV file (see example below).
Has anyone successfully implemented such a data s...
How do I extract the first 3 characters from a field ?
I thought it might be something like ... | eval First3=substring(fieldname,3)
Anyone know the function or regex that would do this?
Hello,
I need help to further sort the following data. In the sample data in the screenshot, I wanted to group the password.
The output should look like
problem abstract c...
...======================================== Strategy Abstract The strategy will function as follows: Utilize tstats to summarize SMB traffic data. Identify internal hosts scanning for open SMB ports outbound to external hosts. T...
Hallo, I would like to investigate the login behaviour of users. I use this search: I receive the following example log: The "abstract" function creates the field "Kontoname". This c...
How can i get data from Mcafee ePo directly to splunk ? i see that there is an Add on for MacAfee but that required syslog configuration over tls, which im having issue configuring