Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About memarshall63
memarshall63
Communicator
Member since:
04-10-2018
a month ago
Community Statistics
| Posts | 69 |
| Solutions | 14 |
| Karma Given | 7 |
| Karma Received | 7 |
| Member Since | 04-10-2018 |
Activity Feed
- Got Karma for Re: How do I drilldown to a unique URL using a table row's unique token?. 06-05-2020 12:51 AM
- Got Karma for Re: lookup table question. 06-05-2020 12:51 AM
- Karma Re: Strange timechart issue for john_dagostino. 06-05-2020 12:50 AM
- Karma Re: How to use drill-downs using whole field values? for niketnilay. 06-05-2020 12:50 AM
- Karma Re: Splunk Data Flow Architecture diagram for muralikoppula. 06-05-2020 12:50 AM
- Karma Splunk complains about "Data Durability" and "Data Searcheable" but I cannot identify the reason for afx. 06-05-2020 12:50 AM
- Got Karma for Re: Enterprise Security: can we extend the cim definition with our own custom fields?. 06-05-2020 12:50 AM
- Got Karma for Re: Help with Transaction. 06-05-2020 12:50 AM
- Got Karma for Re: Filter a Chart with Values Greater Than some Integer.. 06-05-2020 12:50 AM
- Got Karma for Re: Splunk Enterprise Security: How to exclude indexes from Authentication Data Model. 06-05-2020 12:50 AM
- Got Karma for Re: Invalid key in stanza .. in props.conf. 06-05-2020 12:50 AM
- Karma Re: Splunk 7.0.0 on Mac failing to run for mattymo. 06-05-2020 12:49 AM
- Karma Re: Just installed SA-Eventgen and get the following error: Unable to initialize modular input "modinput_eventgen" defined inside the app "SA-Eventgen": Introspecting scheme=modinput_eventgen: script running failed (exited with code 1) for guythomasdavis. 06-05-2020 12:49 AM
- Karma Re: Convert Zulu time to epoch for Aether. 06-05-2020 12:46 AM
- Posted Re: Rex pattern to extract unc path from xml on Getting Data In. 04-16-2020 07:12 PM
- Posted Re: Alert not triggering on Splunk Enterprise Security. 04-16-2020 07:00 PM
- Posted Re: REST GET request to get list of AD users on Getting Data In. 04-16-2020 06:52 PM
- Posted Re: how to pull a list of alerts which is having specific word? on Alerting. 04-16-2020 06:25 PM
- Posted Re: Rex pattern to extract unc path from xml on Getting Data In. 04-16-2020 06:00 PM
- Posted Re: Lookup command not functioning properly on Splunk Search. 04-14-2020 06:31 AM
04-16-2020
07:12 PM
Sorry.. I don't know what you mean. You could just look for the file: string. So something like:
| rex field=mystring "file:(?P<filelocation>[^<]*)"
this just looks for "file:" and then grabs whatever comes after it.
... View more
04-16-2020
07:00 PM
What is your search time frame?
A user would have to fail 40 times within your search time frame to qualify as an alert.
Is that what you're expecting?
... View more
04-16-2020
06:52 PM
Are you trying port 8000 or port 8089 -- command port is usually 8089.
... View more
04-16-2020
06:25 PM
Do you mean something like this?:
|rest /servicesNS/-/-/saved/searches
| table title eai:acl.app eai:acl.owner actions search
So maybe with your criteria, it'd be:
|rest /servicesNS/-/-/saved/searches
| table title eai:acl.app eai:acl.owner actions search
| where title LIKE "%Purchase%" OR title LIKE "%search%" OR title LIKE "%booking%"
Alerts generally have actions so you could add a filter for those, or there may be other ways to do it:
|rest /servicesNS/-/-/saved/searches
| search NOT actions=""
| table title eai:acl.app eai:acl.owner actions search
| where title LIKE "%Purchase%" OR title LIKE "%search%" OR title LIKE "%booking%"
... View more
04-16-2020
06:00 PM
Maybe this will help...
| makeresults
| eval mystring = "<soa:FileSystem identifier=\"8ec65285-11ac-45a5-9652-425b7494b0df\" name=\"Windows\" description=\"Windows File System\" leftaligncheckboxes=\"false\" instance=\"102711ce-e483-46bc-bf6c-f42ae6faf234\" signature=\"00000000-0000-0000-0000-000000000000\" scheme=\"file\" opencapable=\"true\" consumeopen=\"true\" emitopen=\"true\"><soa:Location>file://fileserver/folder/folder1/folder2/</soa:Location>"
| rex field=mystring "<soa:Location>file:(?P<filelocation>[^<]*)<\/soa:Location>"
... View more
04-14-2020
06:31 AM
Are you saying that the field is blank or that the column is gone in your results?
... View more
04-03-2020
09:24 AM
You're looking for a way to persist some search results -- and then further filter them?
There's a few mechanisms for that with Splunk.
I think one is the closest to what you're looking for:
https://docs.splunk.com/Documentation/Splunk/8.0.3/SearchReference/Loadjob
See also:
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Savedsearch
https://docs.splunk.com/Documentation/Splunk/8.0.2/Knowledge/Usesummaryindexing
There's likely a few others that also would help.
Good luck.
... View more
04-03-2020
09:16 AM
@zacksoft in your uuery humantime and subtime are both formatting sub_time -- so they'll be the same.
If you change your last line to display:
|table humanepochtime subtime humantime
You should see the diff between humanepochtime and sub_time
... View more
04-03-2020
06:36 AM
_time is an epoch time that holds seconds since some base date. Here's some code that manipulates those values in the way you're asking for:
| makeresults
| eval serv_time = 44432
| eval epoch_time = _time
| eval human_epoch_time = strftime(epoch_time,"%y-%m-%d %H:%M:%S.%N")
| eval sub_time = epoch_time - (serv_time/1000)
| eval human_time = strftime(sub_time,"%y-%m-%d %H:%M:%S.%N")
... View more
04-03-2020
06:27 AM
No problem. I believe $click.value$ will give you the field that is clicked. However, you may want to use a specific field regardless of where on the row the click occurs. When that occurs I think $row.$ is the choice for that behavior. At any rate... good luck.
... View more
04-02-2020
05:42 AM
1 Karma
You'll likely need some form of this:
<drilldown>
<link target="_blank">/app/some_app/some_dashboard?token=$click.value$&token2=$row.fieldname$</link>
</drilldown>
https://docs.splunk.com/Documentation/Splunk/8.0.2/Viz/tokens
... View more
04-01-2020
12:45 PM
Not much to go on here... Maybe you can provide some more details around what you've tried and what your current data set or query attempts are...
Broadly you can look at these:
https://docs.splunk.com/Documentation/Splunk/8.0.2/SearchReference/Search
https://docs.splunk.com/Documentation/Splunk/8.0.2/SearchReference/Where
https://docs.splunk.com/Documentation/Splunk/8.0.2/SearchTutorial/Useasubsearch
... View more
04-01-2020
08:39 AM
Here's a search with numeric values - that you can look at:
index=_internal sourcetype=splunkd kb=*
| table _time sourcetype kb
| eval threshold = if(kb<80,"UNDER","OVER")
| streamstats current=t window=3 list(kb) as last_three list(threshold) AS all_threshholds values(threshold) AS last3_threshhold
| eval ALERT = if(last3_threshhold != "UNDER","All 3 were OVER","")
| eval GOOD = if(last3_threshhold != "OVER","Last 3 were all good","")
... View more
04-01-2020
08:17 AM
How we did that was to pull together the list of inputs and then add a streamstats like this:
| streamstats current=t window=3 values(status) AS last_three by input_name
Something like this:
index=_internal sourcetype=dbx_job_metrics
| sort input_name _time
| table input_name _time status
| streamstats current=t window=3 list(status) as last_three values(status) AS values_three by input_name
| search values_three != "COMPLETED"
You'll need to adjust a little to get your > 80% in there.. but that's the basics of it.
... View more
04-01-2020
06:20 AM
That's a tougher question.
The only way I'd know how to do that is to leave the values in a string, split it, and then use mvindex to index the 12th value in the split.
| makeresults
| eval message = "this,is,the,fourth,fifth,sixth,value"
| eval new_mvfield = split(message,",")
| eval FOURTH = mvindex(new_mvfield,3)
| eval FIFTH = mvindex(new_mvfield,4)
| eval LAST = mvindex(new_mvfield,-1)
... View more
04-01-2020
05:07 AM
You can use 'if' and 'isnull' to identify whether the field exists, and if not replace it with another field.
| makeresults
| eval there = "NOTNULL"
| eval NEWFIELD = if(isnull(notthere),"FIELD IS NULL", "FIELD IS AVAIL")
| eval NEWFIELD2 = if(isnull(there),"FIELD IS NULL", "FIELD IS AVAIL")
or
| makeresults
| eval there = "NOTNULL"
| eval newfield = "NEW"
| eval NEWFIELD = if(isnull(notthere),"FIELD IS NULL", "FIELD IS AVAIL")
| eval NEWFIELD2 = if(isnull(there),newfield, there)
... View more
03-31-2020
06:02 AM
Does your resulting table only have a single row in it? Or are there multiple rows?
dc returns a single value, but I think values returns a multi-value field.
I'm just shooting in the dark at this point but maybe:
Change dc(dest) AS host count -> values(dest) AS host count
Swap the field names -> dc(dest) AS hash values("matchhash") as hostcount
Remove the "by "intel_name".
I did notice that you seem to be quoting the other fields, but not dc(dest)?
... View more
03-30-2020
02:35 PM
hmm.. tough to say. At least you're saying that the token doesn't work no matter where you try to use it. That gets us back into the normal territory.
I'm confused how you're using a stats command, but also generating the rest of the notable fields. Maybe you can post a few more details of your search output, or the notable that comes out of it.
... View more
03-30-2020
01:47 PM
So you're saying that a token in the "Drill-down Name" field of your Notable isn't working, but the same token when used in the "Drill-down Search" field gets passed correctly to the drill-down search?
If that's what you're seeing -- then that is a bit nasty.. I'd start to wonder whether your browser is telling you the truth? Clear browser cache?
... View more
03-30-2020
01:27 PM
Notable link is on Lower right... under Adaptive Responses..
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
a month ago
|
Karma given to
