Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- About alexspunkshell
alexspunkshell
Contributor
Member since:
07-16-2018
03-10-2026
Community Statistics
| Posts | 126 |
| Solutions | 1 |
| Karma Given | 76 |
| Karma Received | 1 |
| Member Since | 07-16-2018 |
Activity Feed
- Karma Re: Splunk Search to find the list of CIM Mapped indexes for meetmshah. 04-08-2024 04:17 AM
- Posted Splunk Search to find the list of CIM Mapped indexes on Splunk Search. 04-08-2024 01:52 AM
- Posted Re: Search result count on Splunk Search. 04-01-2024 12:35 AM
- Posted Search result count on Splunk Search. 04-01-2024 12:28 AM
- Posted Re: Filter results based on timeframe on Splunk Search. 09-25-2023 11:25 AM
- Posted Re: Filter results based on timeframe on Splunk Search. 09-25-2023 11:21 AM
- Karma Re: Filter results based on timeframe for gcusello. 09-25-2023 11:17 AM
- Posted Re: Filter results based on timeframe on Splunk Search. 09-25-2023 08:00 AM
- Karma Re: Filter results based on timeframe for gcusello. 09-25-2023 07:56 AM
- Karma Re: Filter results based on timeframe for gcusello. 09-25-2023 07:56 AM
- Posted Re: Filter results based on timeframe on Splunk Search. 09-25-2023 06:36 AM
- Posted How to filter results based on timeframe? on Splunk Search. 09-25-2023 06:04 AM
- Posted Re: Issue with Sourcetype name on Getting Data In. 09-22-2023 11:45 AM
- Posted Issue with Sourcetype name on Getting Data In. 09-22-2023 09:50 AM
- Posted Splunk query to get the list of Use Cases on Splunk Search. 09-12-2023 09:12 AM
- Karma Re: Field Extraction using Regex for isoutamo. 07-04-2023 11:47 PM
- Karma Re: Field Extraction using Regex for isoutamo. 07-04-2023 11:47 PM
- Karma Re: Field Extraction using Regex for isoutamo. 07-04-2023 11:47 PM
- Karma Re: Field Extraction using Regex for isoutamo. 07-04-2023 11:47 PM
- Posted Re: Field Extraction using Regex on Splunk Search. 07-04-2023 11:18 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
04-08-2024
01:52 AM
Below are the CIM Macros where i am using and there are different indexes mapped in individual macros. I want to get the list of all indexes mapped in all the CIM Macros. Hence i did a scheduled search which runs and check all the macros. But it is utilizing lot of memory and even searches are failing. Please help me with a better way to get the list of all indexes mapped in CIM Macros. cim_Authentication_indexes
cim_Alerts_indexes
cim_Change_indexes
cim_Endpoint_indexes
cim_Intrusion_Detection_indexes
cim_Malware_indexes
cim_Network_Resolution_indexes
cim_Network_Sessions_indexes
cim_Network_Traffic_indexes
cim_Vulnerabilities_indexes
cim_Web_indexes
... View more
04-01-2024
12:35 AM
ep_winevt_ms* - This index is mapped in Data Model Macros. I want to exclude all other indexes in (ep_winevt_ms*) and take the count as 1 to know the unique indexes. @ITWhisperer
... View more
04-01-2024
12:28 AM
I have 10 indexes starts with "ep_winevt_ms" . So i am using * here "index=ep_winevt_ms*". But while taking the | stats count i want only 1 count for the entire "ep_winevt_ms*". I don't want 10 count for "ep_winevt_ms*". Please help
... View more
09-25-2023
11:25 AM
@gcusello SPL Used index=test
|rename client.userAgent.rawUserAgent as User_Agent client.geographicalContext.city as Src_City client.geographicalContext.state as src_state client.geographicalContext.country as src_country displayMessage as Threat_Description signature as Signature client.device as Client_Device client.userAgent.browser as Client_Browser
| strcat "Outcome Reason: " outcome.reason ", Outcome Result: " outcome.result Outcome_Details
| strcat "Source Country: " src_country ", Source State: " src_state Src_Details | eval period=if(_time>now()-86400,"Last 24 hours","Previous")
| eventstats
dc(period) AS period_count
BY src_ip user
| stats
count
values(period_count) AS period_count
min(_time) as firstTime
max(_time) as lastTime
by src_ip user Signature Threat_Description Client_Device eventType Src_Details Src_City Outcome_Details User_Agent Client_Browser outcome.reason
... View more
09-25-2023
11:21 AM
@gcusello For all the results i am getting period_count=1. Whereas only a few IP are used my user="*@xyz.com*" in the last 30 days. I want to particularly filter if, the IPs were used by user="*@xyz.com*".
... View more
09-25-2023
08:00 AM
@gcusello Thanks for your help. I tried all the changes in the SPL too. However, period_count is showing 1. Hence i am unable to filter in results.
... View more
09-25-2023
06:36 AM
@gcusello
index=test
eventType IN (security.threat.detected, security.internal.threat.detected)
|rename client.userAgent.rawUserAgent as User_Agent client.geographicalContext.city as Src_City client.geographicalContext.state as src_state client.geographicalContext.country as src_country displayMessage as Threat_Description signature as Signature client.device as Client_Device client.userAgent.browser as Client_Browser
| stats count min(_time) as firstTime max(_time) as lastTime by src_ip user Signature Threat_Description Client_Device eventType Src_Details Src_City User_Agent Client_Browser
... View more
09-25-2023
06:04 AM
In my search results, I am getting IP and user details.
I want to filter my search results if the same IP has been used by any user "*@xyz.com" in last 30 days.
... View more
09-22-2023
11:45 AM
@richgalloway No luck! But I confirm there is no other files and settings. Command used : index=vmware | stats count by sourcetype Currently syslog is ingesting via universal forwarder. Current configuration input.conf [monitor:///opt/syslog/vmware/10.149.xx.xx/*-syslog.log] disabled = false host_segment = 4 index = vmware-vclog sourcetype = vclog initCrcLength = 2048 Props.conf [source::/opt/syslog/vmware/10.149.xx.xx/*] TRANSFORMS-null= setnull [vclog] LINE_BREAKER = ([\r\n]+)\<\d+\>\d SHOULD_LINEMERGE = false transforms.conf [setnull] REGEX = ^\w+\W DESK_KEY = queue FORMAT = nullQueue
... View more
09-22-2023
09:50 AM
I am getting different sourcetype name in my logs. But I want the sourcetype name as per conf file. Below are the screenshots of input.conf, props.conf & transforms.conf . Props & Transforms Inputs
... View more
Labels
09-12-2023
09:12 AM
I am looking for a Splunk Query which gives me all the enabled & disabled state use-cases.
... View more
07-04-2023
11:18 AM
@isoutamo First line of the below log Y63......ends with /. Whereas third line y63....ends usually. Does this make change? 10.218.136.20 - - [30/Jun/2023:02:36:40 +0000] "GET /api/v2/runs/run-Y63d5qeBk3pDHpJZ/run-events?include=comment%2Cactor HTTP/1.1" 304 0 "https://terraform.srv.companyname.com.au/app/customer/workspaces/a00964-tfe-test-customer_infra_main/runs/run-Y63d5qeBk3pDHpJZ" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36"
... View more
07-04-2023
10:48 AM
@isoutamo Other logs 10.218.136.20 - - [30/Jun/2023:02:36:37 +0000] "GET /api/v2/workspaces/ws-ukz9TnHNE9kN4eCa?include=agent_pool%2Ccurrent_configuration_version%2Ccurrent_run%2Ccurrent_state_version%2Clocked_by%2Creadme%2Coutputs HTTP/1.1" 304 0 "https://terraform.srv.companyname.com.au/app/customer/workspaces/a00ccc-tfe-dev02-customer_infra/runs/run-ACevPzmMTYE6UP5e" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36"
10.218.136.20 - - [30/Jun/2023:02:36:40 +0000] "GET /api/v2/runs/run-Y63d5qeBk3pDHpJZ/run-events?include=comment%2Cactor HTTP/1.1" 304 0 "https://terraform.srv.companyname.com.au/app/customer/workspaces/a00964-tfe-test-customer_infra_main/runs/run-Y63d5qeBk3pDHpJZ" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36"
... View more
07-04-2023
10:35 AM
@isoutamo Still i am getting "\" at the end of the workspace_id results.
... View more
07-04-2023
10:11 AM
@isoutamo Thanks for your reply. Results for Workspace_name is fine. But workspace_id ends with a backslash. Can i get the result without \
... View more
07-04-2023
09:56 AM
I am trying to extract 2 fields from my logs.
Logs:
10.218.136.20 - - [30/Jun/2023:02:36:32 +0000] "GET /api/v2/runs/run-g1mhsXooK6aKV9bS?include=plan%2Ccost_estimate%2Capply%2Ccreated_by HTTP/1.1" 200 5460 "https://terraform.srv.companyname.com.au/app/customer/workspaces/a00ccc-tfe-test02-customer_infra_ping/runs/run-g1mhsXooK6aKV9bS" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36"
Here i want to extract 2 new fields
1. workspace_name="a00ccc-tfe-test02-customer_infra_ping"
2. workspace_id="g1mhsXooK6aKV9bS"
Please help me with regex & thanks in advance!
... View more
Labels
- Labels:
-
field extraction
-
fields
-
regex
-
rex
09-29-2022
09:29 AM
I have an SPL which gives a result. I want to get a trend of the result. So I tried using timechart command, but it is not working. Query | tstats `summariesonly` earliest(_time) as _time from datamodel=Incident_Management.Notable_Events_Meta by source,Notable_Events_Meta.rule_id | `drop_dm_object_name("Notable_Events_Meta")` | `get_correlations` | join rule_id [| from inputlookup:incident_review_lookup | eval _time=time | stats earliest(_time) as review_time by rule_id] | eval ttt=review_time-_time | stats avg(ttt) as avg_ttt | sort - avg_ttt | `uptime2string(avg_ttt, avg_ttt)` | rename *_ttt* as *(Time_To_Triage)* | fields - *_dec |table avg(Time_To_Triage) |rename avg(Time_To_Triage) as "Mean/Average Time To Respond"
... View more
Labels
- Labels:
-
timechart
09-21-2022
11:12 AM
I want to exclude duration results if greater than 7 days. So i used search NOT but it is not working.
Can someone help here?
Query
index=sentinelone | eval duration=tostring(now()-strptime(installedAt,"%Y-%m-%dT%H:%M:%S.%6N"),"duration") | table _time installedAt agentDomain duration |search installedAt!="Null"
... View more
09-05-2022
04:52 AM
@gcusello @ITWhisperer Though I gave | search duration <7+ condition, I am getting results other results. How to exclude the results within 7 days.
... View more
09-05-2022
03:50 AM
@ITWhisperer @gcusello I have new installs but the query is updating the latest time to all results and showing all the results. Here I need the installation that occurred over the past 7 days.
... View more
09-05-2022
03:40 AM
@ITWhisperer @gcusello Tried using the queries. But no results.
... View more
09-05-2022
02:56 AM
I have installedAt field which gives the application's installation time.
If I run a Splunk search for the last 7 days it shows the application installed at different times.
So I want the query to find the applications installed in the last 7 days.
... View more
Labels
- Labels:
-
eval
-
fields
-
transaction
09-01-2022
10:05 AM
Below query, I have used and it is saving in output lookup format.
Lookupname - S1_installedtime
Query - index=sentinelone |table installedAt agentComputerName agentDomain |search installedAt!="Null" |dedup agentComputerName
installedAt - This field is giving the installation time
Now I want a query that compares with the lookup table(S1_installedtime) and gives a result if any new agentComputerName in the last 1-week.
Objective - Need a list of agentComputerName having SentinelOne installed in the last 7 days.
... View more
Labels
- Labels:
-
eval
-
lookup
-
metadata
-
stats
-
transaction
08-11-2022
12:45 PM
@Taruchit You are right.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
03-10-2026
03:01 AM
|
