cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
ahendler1
Explorer
Member since: ‎08-30-2018
‎06-05-2020
Community Statistics
Posts 4
Solutions 0
Karma Given 3
Karma Received 0
Member Since ‎08-30-2018
Activity Feed
View All

Re: Splunk SPL - How to extract associated logs fr...

by in Splunk Enterprise Security
‎08-31-2018 06:53 AM
‎08-31-2018 06:53 AM
@DalJeanis This works great! However, it returns the stats for the fields Hour, lasHour, maxHour, myflag, and prevTwelveHourAvg Ultimately I am trying a csv export of those logs associated with the maxHour in the case it is above that 2*prevTwelveHourAvg threshold. Is there a way to alter the query so that it is returning the logs for export from hours 12-13? ... View more

Splunk SPL - How to extract associated logs from s...

by in Splunk Enterprise Security
‎08-30-2018 07:03 PM
‎08-30-2018 07:03 PM
Hello, I have a search which returns the moving average # of logs for a 12hr period (1hr prior) and the most recent hour, where the most recent hour has been at least double the moving average. index=1234 message="auth failure*" earliest=-13h@ latest=-1h@ | bucket _time span=1h | stats count as logCountByHour by _time | stats avg(logCountByHour) as prevTwelveHourAvg | appendcols [search index=1234 message="auth failure*" earliest=-h@h latest=@h | stats count as lastHour ] | where lastHour>2*prevTwelveHourAvg How would I extract the associated logs and fields out of this query (eg the logs of the most recent hour). Thank you for your help! ... View more

Re: SPL: How to perform a SQL Like Minus Operation...

by in Splunk Search
‎08-30-2018 03:35 PM
‎08-30-2018 03:35 PM
@pyro_wood Works great, thank you! ... View more

SPL: How to perform a SQL Like Minus Operation?

by in Splunk Search
‎08-30-2018 12:50 PM
‎08-30-2018 12:50 PM
I am trying to remove certain logs from a base query of a certain type based on the results of another query of a different type of log. Both are connected by the user field. Specifically, I have identified instances where a user has 4 or more failed login attempts, and am trying to remove instances where they successfully changed their password after. This leaves a list of users, and their associated logs, who have a large number of failed logins but did not update their password. Here is the base query: index=1234 logger_name=auth message="user failed to login" earliest=-24h latest=now | stats count by user | search count>=4 | join user [search index=1234 logger_name=auth message="user failed to login*" earliest=-24h latest=now] Here is the query I am essentially trying to include. However, SPL only handles left, right, and inner joins | MINUS user [search index=1234 logger_name=passwordchange message="Update Password:Success" earliest=-24h latest=now] How might I accomplish this? Thank you for your help. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM
Karma given to
View All