Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Search
Splunk Community
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Search
Search
Search the Community
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
5,000 results
Sort by:
01-26-2024
10:33 AM
My current search is - | tstats count AS event_count WHERE index=* BY host, _time span=1h | append [ | inputlookup Domain_Computers | fields cn, operatingSystem, o...
01-05-2024
10:29 AM
...ire. The SPL looks like this | inputlookup path_principals_lookup
| eval domain_id=if(isnull(domain_id), "NULL_domain_id", domain_id)
| eval domain_name=if(isnull(domain_name), "N...
- Tags:
- alerts
- inputlookup
Labels
- Labels:
-
fields
Show results in replies (6)
-
Just a follow up, are you readjusting the cron schedule to fire soon after making the adjustment to...
-
The outputlookup should have been inputlookup. My brain slipped a gear when I was entering t...
-
Okay so I think since your trigger condition is search count>0 &...
-
I've tried that and I didn't see anything. I tried it again and I still don't see the alert f...
-
Awesome! Glad you got it resolved!
-
I just changed the cron job. I was just running it from the UI. Once I did that, ...
04-08-2025
08:11 AM
...ype" values. Splunk is parsing the JSON just fine, so these fields can be referenced as "message_info.message_set{}.type" in searches. I'd like to set up an inputlookup that maps these numerical v...
02-08-2023
02:34 AM
Hello Splunkers,
Please if someone can help me with a Splunk query,
I have a list of IPs I imported in lookup table, I want to grab the FW traffic where dest_ip in the FW logs matches my lookup l...
Show results in replies (4)
-
...lackip" and the field in the main search is "dest_ip", you have to rename it: index=fw [ | inputlookup...
-
...oining them with the main search results. inputlookup is used in the main search or in subsearches....
-
...ndex=fw [ | inputlookup blackip.csv | fields dest_ip ] | stats values(src_ip) values(dest_ip) by port &n...
-
Thanks a billion @gcusello it was great explanations from you I got the results I ...
01-30-2023
11:29 PM
...2 NOT ([ inputlookup FP_malware.csv]) | eval time=strftime(_time,"%Y-%m-%d %H:%M:%S")|stats count by time hip hdn etdn p2 | dedup p2
it seems not working . So how can i fix this ????? Many t...
Show results in replies (6)
-
...se NOT [ | inputlookup ... ] The response coming back from the subsearch will be p2=x OR p2=y O...
-
Thanks alot , i have one more questions , I just install misp42 app in my splunk , a...
-
@abazgwa21cz For a new question, please ask it in a new topic, so that any answers relate to t...
-
I did , but no solution receive , Can u help me pls : https://community.splunk.com/t5/Splunk...
-
...ath is the field in the search, index="kaspersky" AND etdn="Object not disinfected" p2 NOT [ | inputlookup...
-
my mistake . thanks alot it work now
11-30-2023
07:22 AM
I am trying to build my own kvstore geo data, so far i can run | inputlookup geobeta
| where endIPNum >= 1317914622 and startIPNum <= 1317914622
| table latitude,longitude
That returns: l...
Show results in replies (3)
-
Subsearches are executed before the main search so your ip_address_integer has no value when the inputlookup...
-
...hewhere clause inside the inputlookup command. Put attention that the AND logical operator must be i...
-
...p_address_integer=first+second+third+fourth | map search=" | inputlookup geobeta | where endIPNum &g...
09-01-2023
04:50 AM
Apologies, I am quite new to Splunk so not sure if this is possible, I have the following simple query: | inputlookup appJobLogs
| where match(MessageText, "(?i)general e...
09-06-2023
06:31 AM
Hi I cross the results of a subsearch with a main search like this index=toto [inputlookup test.csv |eval user=Domain."\\"Sam |table user] |table _time user Imagine I need to add a new lookup i...
- Tags:
- other
Show results in replies (3)
-
...ndex=toto ([ | inputlookup test.csv OR inputlookup test2.csv | eval user=Domain."\\"Sam | table user ] O...
-
Just pointing out here that the statement | inputlookup test.csv OR inputlookup test2.csv is n...
-
Try this by combining the two lookups using append for the second lookup index=toto [ | inputlookup...
06-28-2023
08:28 AM
...o improve this? | inputlookup lookup.csv | join type=outer [search index=os sourcetype=ps "abc.pid" OR "abc.bin" | stats count as heartbeat by host ] | fillnull heartbeat value=0 | where h...
12-05-2023
10:02 AM
VERY new to splunk. I have a query that scans a vulnerability report for critical vulnerabilities: index=vulnerability severity=critical | eval first_found=replace (first_found, "T\S+", "") ...
- Tags:
- inputlookup
Labels
- Labels:
-
using Splunk Enterprise
