Hello All,   We currently use the following search to list all the Windows hosts in our environment.      | tstats dc(host) where index=windows by host     Now, i have a requirement to filter out  all Windows 10 systems  as in if the OS_Version field = Windows 10. Since the OS_Version field is not applicable to tstats , the only option i see is to use stats command as follows:     index=windows os_version="windows 10" | stats dc(host) by host     This search takes lot of time, runs  very slowly if i need query for Last 7 d time range.  I understand tstats is much faster as compared to stats and this slowness  with stats is bound to be there. Any thoughts, suggestions how to optimize this , make the search faster for  getting a list of distinct hosts , their count based on os_version ?  WHat would you all do in such a use case ? ... View more

Hello All,   I have a search that uses stats command and displays the results as follows.  Note:  I have stripped out some columns.     index=index1 sourceType=xxxx | eventstats count(action) as Per_User_failures by user | stats latest(_time) as _time, values(host), values(src_ip), dc(src_ip) as srcIpCount, values(user), values(Failure_Reason), dc(user) as userCount, values(Per_User_failures) as Per_User_failures by Workstation_Name   Now, if i further add  | where Per_User_failures > 10  condition, the search shows "No Results Found".    index=index1 sourceType=xxxx | eventstats count(action) as Per_User_failures by user | stats latest(_time) as _time, values(host), values(src_ip), dc(src_ip) as srcIpCount, values(user), values(Failure_Reason), dc(user) as userCount, values(Per_User_failures) as Per_User_failures by Workstation_Name | where Per_User_failures >10   This is incorrect  as you can see there are some values where Per_user_Failures is greater than 10 such as 11,12,13, 1037 etc.   How can i make the where clause check any of the values under the "Per_user_failures" column.  ... View more

Hi All, Can someone help to build a search to check for Total_login_Failures  > 10 (per 24H) OR  Number of Failures per user > 5?  Both conditions need to be in same search and an alert will fire with either one is met. My search so far        ( index = index1 "Failed password") earliest=-1d | eventstats count as Per_User_failures by user | stats latest(_time) as _time, values(host), values(dest_ip), values(src_ip), dc(src_ip) as srcIpCount, values(user), dc(user) as userCount, count as Total_failures by src_ip dest | rename values(*) as * | where Total_failures>=10 AND Per_user_Failures>5         ... View more

Hi All,  I am confused as in why earliest time modifier is not working out in my case ? Someone pls clarify why is splunk displaying the results this way ? Below is my search    (index=linux source="/var/log/secure" "Failed password") earliest=-1d | stats latest(_time) as _time, values(host), values(dest_ip), values(source), values(src_ip), values(src), dc(src_ip) as srcIpCount, dc(src) as srcCount, values(user), dc(user) as userCount, count as failures by src_ip dest | rename values(*) as * | table _time dest dest_ip host source srcIpCount src_ip srcCount src userCount user failures | where failures>10 AND userCount>1   This does not show any results with earliest = -1d ( Today being Nov 2 2021) Now if i change earliest=-7d , then it shows results where _time = Nov 1 2021 which is yesterday.  Below screenshot.    Why didn't earliest = -1d or even -2d show these results ?  What is making -7d pick these up but not -1d or -2d ?   ... View more

Hello, I have followed https://docs.splunk.com/Documentation/ES/6.6.2/Admin/Customizenotables and created Additional Fields under "Incident Review Settings" page and saved my changes.  Now i am seeing that when a notable is created in Incident Review dashboard,  none of my new additional fields are showing up there.  I have verified when i run the search manually,  those fields are there and there is no typo in their name. 2 Qns 1) Is there a default limit as in  how many additional fields show at the max for a Notable ? The way i see not all fields are showing up. 2) Is there a way to customize which addn. fields to show for which Notable event /Co-relaion search ? ... View more

Hello,  We are using ES and we have a lookup file downloaded which has a mix of standalone ip's and CIDRs/Subnets/.  The CSV file has 3 columns :  Description, ip, time I want to match dest_ip from my search results to any of those IPs in the lookup table ( Column "ip")  and if any matches, the results  should be displayed in a table format I am using this search          | makeresults count=2 | streamstats count | eval src_ip = case(count=1,"1.2.3.4", count=2,"2.3.4.5") | eval dst_ip = case(count=1 OR count=2, "1.234.65.61") | lookup ip_reputation_list ip as dst_ip OUTPUT ip | table _time ip            Is the above correct?  The problem i am facing is even if no IPs match, the search results still shows me the _time column  and ip column (as empty) .    How to get the search NOT show any results if IPs don't match in the lookup ,  and secondly can i compare IP with a CIDR in the lookup ?   ... View more

All,  I have a simple requirement to list failed login attempts from same src_ip in a span of 5 mins.  i have seen 2 options in the community here one using stats and other using streamstats.  Which one is more accurate ? @ITWhisperer      index=XYZ sourcetype=ABC eventName=*Get* errorCode!=success | bin _time span=5m | table _time host eventName, app, command, dest, errorCode, region, userName, user_type, user, src_ip | stats values(*) as *, count by src_ip | where count>=5 OR index=XYZ sourcetype=ABC eventName=*Get* errorCode!=success | streamstats time_window=5m count as failed_attempts by src_ip | where failed_attempts > 5 | table _time user failed_attempts src_ip dest host eventName app command, dest errorCode region userName     ... View more