Hi there @mchandrasekaran Thats weird, I've tested it on prod data and it's working. May I ask, why do you believe is not working after the append? Regarding the new approach, its doable for sure. Avoid gigantic CSV's. ... View more

Hi @mchandrasekaran This obviously needs hardcore improvement but it might help you. index=wineventlog sourcetype=WinEventLog:Security EventCode=4740 | eval Account=mvindex(Account_Name, 1) | regex Account!="\\$" | eval blockTime=_time | eval modtime=if(blockTime > relative_time(now(), "@d"), "Today", "PreviousDays") | search modtime=Today | stats latest(_time) AS accblockTime, sum(eval(EventCode="4740")) AS AccBlocks by Account modtime | convert ctime(accblockTime) | appendcols [search index=wineventlog sourcetype=WinEventLog:Security (EventCode=4723 OR EventCode=4724 OR EventCode=4625) | eval Account=mvindex(Account_Name, 1) | regex Account!="\\$" | eval eventTime=_time | eval modtime2=if(eventTime < relative_time(now(), "@d"), "PreviousDays", "Today") | search modtime2=PreviousDays | stats sum(eval(EventCode="4724")) AS PwdResets, sum(eval(EventCode="4723")) AS PwdChanges, sum(eval(EventCode="4625")) AS LoginFailures by Account modtime2] | table Account AccBlocks accblockTime PwdResets PwdChanges LoginFailures So, this will give you the amount of account blocks and the latest block's timestamp per user for the current day. After that, this will search for any password resets, password changes and login failures for each one of them during the previews days. You can also add some case statement to alert based on certain conditions. Hope it helps. ... View more

Hi @Karl12347 Did you check your Audit Policies ? Perhaps you are not auditing those events. ... View more

Nice, I'm glad it helped ! ... View more

Hi there mate, Check this out: http://docs.splunk.com/Documentation/Splunk/latest/Report/Embedscheduledreports ... View more

Hi @ppanchal I'm not sure about this, but I believe it's because you set up 10k rows in "Max Rows to Retrieve" and you schedule the execution of the sqlquery to run only at 14:12 each day. So you end up with 10k of events per day only. This parameter adjusts the number of rows to retrieve with each query execution. So you either increase the amount of rows to retrieve or you can schedule your query to run more often. Hope it helps. ... View more

Hi there kiran331, If you create an eventtype for each zone you'll end up with one value as token for each zone, like this. eventtypes.conf [zone1] search = (eventtype="host-detection_zone1" OR eventtype=vm_detection-zone1") [zone2] search = (eventtype="host-detection_zone2" OR eventtype=vm_detection-zone2") Hope it helps. ... View more

I'm glad it helped you! Happy Splunking! ... View more

Hi there mate, sure there is. In the link that pasted above from Splunk docs if you look at the left side of the web page, you'll see this menu. In there you will find the step by step procedure to index your data. ... View more

Hi there, Just go to Settings > Data Inputs > Files & Directories OR select how to index your input according to your data source. After that, just follow the wizard. If you have any doubt, don't hasitate. This will probably help you a lot more, http://docs.splunk.com/Documentation/Splunk/6.4.3/Data/Configureyourinputs ... View more

Hi there inventsekar, Perhaps dedup command can help you with this. source=sdesktop "Available" | dedup resource | table resource _time Hope it helps. ... View more

Hi there, Did you try disabling enable_query_wrapping on your inputs.conf ? ... View more

Passing a false value to TIME_PREFIX parameter could work, splunk wont be able to find the timestamp, hence one big event with the current timestamp. With the given sample data, this worked for me. [<SOURCETYPE NAME> ] SHOULD_LINEMERGE=true NO_BINARY_CHECK=true CHARSET=UTF-8 disabled=false TIME_PREFIX=asdasd Hope it helps. ... View more

Hi there, try with this main search | stats sum(bytes_field) by User IP ... View more

Recently some DB inputs got disabled somehow. No clue about it. ... View more

Hi kpavan, You could try doing this https://code.google.com/archive/p/eventlog-to-syslog/ Hope it helps. ... View more

Hi apurva, For search-time extractions add this to your props.conf [log4j] EXTRACT-my_ext = your_regex Hope it helps. ... View more

I see now, give this a try. your search | rename ENDPOINT_LOG{}.* as * | eval temporal=mvzip(EML_REQUEST_TIME,EML_RESPONSE_TIME,"##") | table temporal | mvexpand temporal | rex field=temporal "(?<EML_REQUEST_TIME>.*)##(?<EML_RESPONSE_TIME>.*)" | eval average_response_time= strptime(EML_REQUEST_TIME , "%Y-%m-%d %H:%M:%S.%3N") - strptime(EML_RESPONSE_TIME , "%Y-%m-%d%H:%M:%S.%3N") | table EML_REQUEST_TIME EML_RESPONSE_TIME average_response_time ... View more

Can you provide sample data ? ... View more

Can tell if it works with the complete _raw data, but I believe its possible. ... View more

Did you try with my last answer ? ... View more

I can see whats happening. Try with this, | rename "ENDPOINT_LOG.EML_REQUEST_TIME" as EML_REQUEST_TIME | rename "ENDPOINT_LOG.EML_RESPONSE_TIME" as EML_RESPONSE_TIME | eval average_response_time = strptime(EML_REQUEST_TIME, "%Y-%m-%d %H:%M:%S.%3N") - strptime(EML_RESPONSE_TIME, "%Y-%m-%d%H:%M:%S.%3N") ... View more