Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About christopheducha
christopheducha
Explorer
Member since:
04-05-2018
12-27-2021
Community Statistics
| Posts | 6 |
| Solutions | 1 |
| Karma Given | 0 |
| Karma Received | 1 |
| Member Since | 04-05-2018 |
Activity Feed
- Posted Re: Extract multiple values with the same delimiter on All Apps and Add-ons. 07-30-2020 12:41 PM
- Posted How to extract multiple values with the same delimiter? on Splunk Search. 07-29-2020 08:04 AM
- Posted Extract multiple values with the same delimiter on All Apps and Add-ons. 07-29-2020 08:00 AM
- Got Karma for Re: Event Time is less then 10 min old. 06-05-2020 12:49 AM
- Posted UserSID lookup on Splunk Enterprise. 04-27-2019 07:48 AM
- Tagged UserSID lookup on Splunk Enterprise. 04-27-2019 07:48 AM
- Tagged UserSID lookup on Splunk Enterprise. 04-27-2019 07:48 AM
- Posted Re: Event Time is less then 10 min old on Splunk Search. 04-06-2018 02:50 AM
- Posted Event Time is less then 10 min old on Splunk Search. 04-05-2018 04:23 PM
- Tagged Event Time is less then 10 min old on Splunk Search. 04-05-2018 04:23 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
07-30-2020
12:41 PM
Thank you much appreciated.
... View more
07-29-2020
08:04 AM
Hi
I'm trying to regex my way into this puzzle, let me explain my problem.
event 1 (field 2) raw value = log:word1 log:word2 log:word3
event 2 (field 2) raw value = log:19 log:word4
or
The value in field2 from the first event (raw value).
log:word1 log:word2 log:word3
The value in field2 from the second event (raw value).
log:19 log:word4
I want to extract these "log:" values into 3 fields. Something like field log1 , log2 and log3.
So I tried with this regex :
":(?<log1>\S*) log:(?<log2>\S*) log:(?<log3>\S*)"
Works perfectly with event 1, but didn't work for event 2 because there or only 2 “log:” values. Can anybody tell me how to make this work?
... View more
- Tags:
- delimiter
Labels
- Labels:
-
regex
07-29-2020
08:00 AM
Hi I'm trying to regex my way into this puzzle, let me explain my problem. event 1 (field 2) raw value = log:word1 log:word2 log:word3 event 2 (field 2) raw value = log:19 log:word4 or The value in field2 from the first event (raw value). log:word1 log:word2 log:word3 The value in field2 from the second event (raw value). log:19 log:word4 I want to extract these "log:" values into 3 fields. Something like field log1 , log2 and log3. So I tried with this regex ":(?<log1>\S*) log:(?<log2>\S*) log:(?<log3>\S*)" Works perfectly with event 1, but didn't work for event 2 because there or only 2 “log:” values. Can anybody tell me how to make this work?
... View more
Labels
- Labels:
-
search
04-27-2019
07:48 AM
Hello I have an index called ‘RDIIS’ with 4 fields named SourceIP , UserSID , DestIP and Host. Important to know is that UserSID refers to the SID of an active directory user. I also have a second index ‘ADdump’ with 2 fields UserSID and Username.
Can I combine somehow the two indexes and have this table, so that the UserSID gets associated with the wright Username?
“| Table _time , Host, SourceIP, DestIP , UserSID , Username “
... View more
- Tags:
- lookups
- splunk-light
Labels
- Labels:
-
configuration
04-06-2018
02:50 AM
1 Karma
Thanks, exactly what I wanted. Works like a charm.
... View more
04-05-2018
04:23 PM
Hello
I'm a splunk newbie, be gentle please.
I'm try to monitoring my VPNs status with splunk, unfortunately my firewall does not log vpn up or down.
So I made a powershell script that makes every 4 minutes a set of pings to an IP on the destination site of each VPN.
Each ping gets exported to a csv file, automatically renamed with timestamp to a new source file name from each vpn.
My search string is:
index=ping | eval Procent=if(like(_raw, "%100%" ), "DOWN" , "UP") | table _time , VPN , Procent , SyncOff | sort VPN , -_time | dedup VPN
Procent stands for set of pings that are 100% lost.
Works perfectly so far.
But I wanted to have the "SyncOff" field to tell me if one of the VPN's hasn't been pinged in the last 10min, due to a powershell script malfunction or whatever.
So in short, if _time is less then 10min, set field Syncoff to "Out of Sync".
Can anybody help me with this, please?
... View more
- Tags:
- _time
