cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
ashishmgupta
Explorer
Member since: ‎01-14-2019
‎06-05-2022
Community Statistics
Posts 7
Solutions 1
Karma Given 5
Karma Received 0
Member Since ‎01-14-2019
Activity Feed
View All

Splunk : Spath searching the JSON array

by in Splunk Search
‎11-11-2021 01:19 PM
‎11-11-2021 01:19 PM
I have below two JSON events where under "appliedConditionalAccessPolicies", in one event policy1 has results =failure and policy2 has results=notApplied. In the other event the values are reversed. Now I'm trying to get the event where the policy1 has the status="failure", it gives both the events   index=test | spath path="appliedConditionalAccessPolicies{}" | search "appliedConditionalAccessPolicies{}.displayName"="policy1" "appliedConditionalAccessPolicies{}.result"="failure"   I have below two JSON events where under "appliedConditionalAccessPolicies", in one event policy1 has results =failure and policy2 has results=notApplied. In the other event the values are reversed. Now I'm trying to get the event where the policy1 has the status="failure", it gives both the events index=test | spath path="appliedConditionalAccessPolicies{}" | search "appliedConditionalAccessPolicies{}.displayName"="policy1" "appliedConditionalAccessPolicies{}.result"="failure" It looks like Its searching within all the elements in the array. How can I ensure It searches both the conditions on each element of the array and return the event which has the element satisfying both the conditions. Events :   appDisplayName: App1 appId: aaaa-1111-111aeff-aad222221111 appliedConditionalAccessPolicies: [ { displayName: policy1 enforcedGrantControls: [ Block ] enforcedSessionControls: [ SignInFrequency ContinuousAccessEvaluation ] id: f111113-111-400c-a251-2123bbe4233e1 result: failure } { [-] displayName: policy2 enforcedGrantControls: [ [-] Block ] enforcedSessionControls: [ [-] ] id: sdsds-8c92-45ef-sdsds-c0b2e006d39b result: notApplied } ] appDisplayName: App1 appId: aaaa-1111-111aeff-aad222221111 appliedConditionalAccessPolicies: [ { displayName: policy1 enforcedGrantControls: [ Block ] enforcedSessionControls: [ SignInFrequency ContinuousAccessEvaluation ] id: f111113-111-400c-a251-2123bbe4233e1 result: notApplied } { [-] displayName: policy2 enforcedGrantControls: [ [-] Block ] enforcedSessionControls: [ [-] ] id: sdsds-8c92-45ef-sdsds-c0b2e006d39b result: failure } ]   ... View more
Labels

Re: Extract the User-Agent from HTTP request

by in Splunk Search
‎07-27-2021 01:13 PM
‎07-27-2021 01:13 PM
looks like 4 backslashes to get two? Below worked. Thank you for your help.  User-Agent: (?<UserAgent>[^\\\\]*) ... View more

Re: Extract the User-Agent from HTTP request

by in Splunk Search
‎07-27-2021 12:39 PM
‎07-27-2021 12:39 PM
Error in 'rex' command: Encountered the following error while compiling the regex 'User-Agent: (?<UserAgent>[^\]*)': Regex: missing terminating ] for character class. ... View more

Extract the User-Agent from HTTP request

by in Splunk Search
‎07-27-2021 10:09 AM
‎07-27-2021 10:09 AM
Below the excerpt from my HTTP request and I'm trying to get the User-Agent value from it and so far not successful. Will appreciate any help. This Splunk editor is removing the carriage return and line feed characters so below is the regex101 link.https://regex101.com/r/rdu8yE/1 Also attached is the screenshot of the HTTP request.     ... View more
Labels

AnomaliDetection does not detect outlier data

by in Splunk Search
‎10-29-2020 02:39 PM
‎10-29-2020 02:39 PM
In the below dataset, there are two different ISPs for the user from their usual ones. NordVPN for John and Quadranet for Jill – but this search using anomalidetection is detecting only john’s but not Jill’s. Any idea why and what is the better way to detect the ISP outlier? source="isp_data2.csv"  index="test" sourcetype="csv" | anomalydetection "ISP" "EmailAddress" action=annotate | eval isOutlier = if(probable_cause != "", "1", "0") | table "ISP" "EmailAddress", probable_cause, isOutlier | sort 100000 probable_cause     EmailAddress ISP timestamp john@example.com Comcast 1/1/2020 john@example.com Comcast 1/2/2020 john@example.com Comcast 1/3/2020 john@example.com Comcast 1/4/2020 john@example.com Comcast 1/5/2020 john@example.com Comcast 1/6/2020 john@example.com Comcast 1/7/2020 john@example.com Comcast 1/8/2020 john@example.com Comcast 1/9/2020 john@example.com Comcast ######## john@example.com Comcast ######## john@example.com Comcast ######## john@example.com Comcast ######## john@example.com NordVPN ######## john@example.com Comcast ######## john@example.com Comcast ######## john@example.com Comcast ######## john@example.com Comcast ######## john@example.com Comcast ######## john@example.com Comcast ######## john@example.com Comcast ######## john@example.com Comcast ######## john@example.com Comcast ######## jill@example.com Spectrum 2/1/2020 jill@example.com Spectrum 2/2/2020 jill@example.com Spectrum 2/3/2020 jill@example.com Spectrum 2/4/2020 jill@example.com Spectrum 2/5/2020 jill@example.com Spectrum 2/6/2020 jill@example.com Spectrum 2/7/2020 jill@example.com Spectrum 2/8/2020 jill@example.com Spectrum 2/9/2020 jill@example.com Spectrum ######## jill@example.com Spectrum ######## jill@example.com Spectrum ######## jill@example.com Spectrum ######## jill@example.com Spectrum ######## jill@example.com Quadranet ######## jill@example.com Spectrum ######## jill@example.com Spectrum ######## jill@example.com Spectrum ######## jill@example.com Spectrum ######## jill@example.com Spectrum ######## jill@example.com Spectrum ######## jill@example.com Spectrum ######## jill@example.com Spectrum ######## jill@example.com Spectrum ######## jill@example.com Spectrum ######## jill@example.com Spectrum ######## jill@example.com Spectrum ######## jill@example.com Spectrum ######## jill@example.com Spectrum ######## jill@example.com Spectrum 3/1/2020 ... View more
Labels

How to get results only if search field contains a...

by in Splunk Search
‎09-13-2019 11:23 AM
‎09-13-2019 11:23 AM
If I have a search result which has a field named "Field1" and It has values like : This is Word1 now. This is Word2 now. This is WordX now. This is WordZ now. Below is the look up table for Words. Field1 Word1 Word2 Word3 Word4 Word5 Word6 How can I search so I get ONLY below results in the output because they contain "Word1" and "Word2"? This is Word1 now. This is Word2 now. ... View more

Check if IP address from search not in list of IP ...

by in Splunk Search
‎08-29-2019 12:23 PM
‎08-29-2019 12:23 PM
I am still learning Splunk and trying to understand best way to find if IP addresses in my search results are NOT in a list of IP addresses I have like below : 10.34* 10.35* 172.20* 172.21* 172.168* I put * in the CSV list to cover all IP addresses. for example ..10.34.1.3 is covered by 10.34. 172.212.1.1 is covered by 172.21* etc. I upload the CSV in the "Lookup table files" as "all_ip.csv" This is what I started with. How can I make sure "src_ip" is NOT in the list "ip.csv"? index=myindex src_ip | inputlookup all_ip.csv Thanks for all the help. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2022 07:08 PM
Karma given to