cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
cfortune
Explorer
Member since: ‎10-08-2010
‎06-05-2020
Community Statistics
Posts 8
Solutions 0
Karma Given 3
Karma Received 4
Member Since ‎10-08-2010
Activity Feed
View All

Re: Help with a search query involving two time ra...

by in Splunk Search
‎06-27-2012 01:25 PM
‎06-27-2012 01:25 PM
Good question. I believe it's rolling but I'll ask to make sure. Given the wording of the request, it makes me think it's rolling (he says for ANY 60 day period). ... View more

Help with a search query involving two time ranges

by in Splunk Search
‎06-27-2012 01:04 PM
3 Karma
‎06-27-2012 01:04 PM
3 Karma
We have a Splunk instance here at my job that I've inherited. I rarely have to go do anything in it so my Splunk Fu is definitely lacking. We're looking at some new public file transfer appliance and need to know something kind of odd for licensing (according to my manager anyway). My manager wants to know, which 60 day period has the highest number of unique user id's that successfully authenticated over the last 2 years. Seems odd that someone would come up with a licensing framework where that matters but I do what I'm told... Here is an example of our current FTP logs when a user successfully logs in: 2012-06-26 22:55:39 dest_ip 21 2172 source_ip 4964 3248 Username 0 0 - 18 RESPONSE: 230-Welcome Username from dest_ip. I have custom fields setup for source, destination, and username. What I'm having trouble grasping is how to I look for the top 60 days over the last 2 years. Any help would be greatly appreciated. ... View more

Re: Help with sorting a date

by in Splunk Search
‎10-11-2010 03:42 PM
‎10-11-2010 03:42 PM
Well there is an 8 hour offset on these logs. I don't want the offset applied to the results I'm sending over. If I use _time, will that include the timezone difference I have applied? I just assumed it would so I went ahead and made a new field capturing the actual time stamp written to the logs. ... View more

Help with sorting a date

by in Splunk Search
‎10-08-2010 11:03 PM
‎10-08-2010 11:03 PM
Sorry for spamming this board (or so it feels like) but I have one more question before the weekend. This may not be even possible.... but I'm working on generating a list of IP addresses and user names that use them so we can create a white list for our FTP server. I had this list completed and thought I could call it weekend... After I sent the list over to the security folks, they requested I have the most recent date that the combination of source IP and and user name was used. When adding the date field to my counted list of results, I get (obviously), a line for every time a source IP, user name, and date are the same. Is there a way I can keep the uniqueness of the source IP and user name while having the most recent date the two were used in conjunction added to the end? Here is the search I'm using: index="ftp" host="host" "bPasswordOK=1" | fields user, src_ip, log_date | stats count by user, src_ip, log_date | sort -count ... View more

Splunk indexes some events several times?

by in Splunk Search
‎10-08-2010 09:55 PM
‎10-08-2010 09:55 PM
In some of our indexed logs, I'll see several log entries for the same log at the same time. I thought this may be an issue with the log file itself but I just checked and sure enough, there aren't several of the same event from the same time in there. Any idea what could be causing this? Here is a screen shot. The number 11196 is a unique id associated with that particular log in. As you can see, it's the same for all 10 results shown. If someone really logged in that fast, they'd have different id's there. There is an 8 hour timezone offset applied to these logs as well. Don't know if that has anything to do with it. Also, these logs are indexed via a cifs mount on the Splunk server. ... View more

Re: need help with regex for Transforms.conf

by in Splunk Search
‎10-08-2010 08:09 PM
‎10-08-2010 08:09 PM
If it helps at all, I found this video which explains adding lines to props.conf and transforms.conf (towards the end, first half or so is about the rex search command). http://blogs.splunk.com/2008/10/22/all-my-regexs-live-in-texas/ ... View more

Re: Regex - find second match?

by in Splunk Search
‎10-08-2010 06:48 PM
‎10-08-2010 06:48 PM
Worked. Thanks man! Very quick response too. ... View more

Regex - find second match?

by in Splunk Search
‎10-08-2010 05:49 PM
1 Karma
‎10-08-2010 05:49 PM
1 Karma
Was hoping I could get some help with extracting a field. I have a line that looks like: "2010-10-08 16:04:10 0.0.0.0 21 3236 255.255.255.255 22821 2312 username 0 0 - 22 Back from VerifyPassword(user=username), bPasswordOK=1, iRetCode=0" I want to extract the 255.255.255.255 as src_ip. I understand how to extract the field but I can't come up with a regex that extracts only that second IP address (as it's the source, first is the destination and is always the same, of course these are made up in this example. I don't have broadcast addresses logging into my server). I even downloaded regexbuddy but I still can't figure it out because I'm lame. Any help would be greatly appreciated. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:02 AM
Karma from
View All
Karma given to
View All