×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
ashishmgupta
Explorer
Member since: ‎01-14-2019
‎06-05-2022
Community Statistics
Posts 7
Solutions 1
Karma Given 5
Karma Received 0
Member Since ‎01-14-2019
Activity Feed
View All

Re: AnomaliDetection does not detect outlier data

by in Splunk Search
yesterday
yesterday
Hi @ashishmgupta, As a quick fix, try: | anomalydetection "ISP" "EmailAddress" action=annotate cutoff=false ... View more

Splunk : Spath searching the JSON array

by in Splunk Search
‎11-11-2021 01:19 PM
‎11-11-2021 01:19 PM
I have below two JSON events where under "appliedConditionalAccessPolicies", in one event policy1 has results =failure and policy2 has results=notApplied. In the other event the values are reversed. Now I'm trying to get the event where the policy1 has the status="failure", it gives both the events   index=test | spath path="appliedConditionalAccessPolicies{}" | search "appliedConditionalAccessPolicies{}.displayName"="policy1" "appliedConditionalAccessPolicies{}.result"="failure"   I have below two JSON events where under "appliedConditionalAccessPolicies", in one event policy1 has results =failure and policy2 has results=notApplied. In the other event the values are reversed. Now I'm trying to get the event where the policy1 has the status="failure", it gives both the events index=test | spath path="appliedConditionalAccessPolicies{}" | search "appliedConditionalAccessPolicies{}.displayName"="policy1" "appliedConditionalAccessPolicies{}.result"="failure" It looks like Its searching within all the elements in the array. How can I ensure It searches both the conditions on each element of the array and return the event which has the element satisfying both the conditions. Events :   appDisplayName: App1 appId: aaaa-1111-111aeff-aad222221111 appliedConditionalAccessPolicies: [ { displayName: policy1 enforcedGrantControls: [ Block ] enforcedSessionControls: [ SignInFrequency ContinuousAccessEvaluation ] id: f111113-111-400c-a251-2123bbe4233e1 result: failure } { [-] displayName: policy2 enforcedGrantControls: [ [-] Block ] enforcedSessionControls: [ [-] ] id: sdsds-8c92-45ef-sdsds-c0b2e006d39b result: notApplied } ] appDisplayName: App1 appId: aaaa-1111-111aeff-aad222221111 appliedConditionalAccessPolicies: [ { displayName: policy1 enforcedGrantControls: [ Block ] enforcedSessionControls: [ SignInFrequency ContinuousAccessEvaluation ] id: f111113-111-400c-a251-2123bbe4233e1 result: notApplied } { [-] displayName: policy2 enforcedGrantControls: [ [-] Block ] enforcedSessionControls: [ [-] ] id: sdsds-8c92-45ef-sdsds-c0b2e006d39b result: failure } ]   ... View more
Labels

Re: Extract the User-Agent from HTTP request

by in Splunk Search
‎07-27-2021 01:13 PM
‎07-27-2021 01:13 PM
looks like 4 backslashes to get two? Below worked. Thank you for your help.  User-Agent: (?<UserAgent>[^\\\\]*) ... View more

Re: How to get results only if search field contai...

by in Splunk Search
‎09-14-2019 07:26 AM
‎09-14-2019 07:26 AM
I'd say grab the word, look it up and then filter....maybe something like this (not at all tested) index=whatevs | rex field=Field1 "^(?:\S+\s+){2}(?<my_word>\S+)" | lookup word_lookup_table Field1 AS my_word OUTPUT Field1 AS found_word | where isnotnull(found_word) And if you didn't want to rex out the word, you could also configure your lookup to wildcard the Field1 field. https://docs.splunk.com/Documentation/Splunk/7.3.1/Knowledge/Addfieldmatchingrulestoyourlookupconfiguration ... View more

Re: Check if IP address from search not in list of...

by in Splunk Search
‎08-29-2019 02:02 PM
‎08-29-2019 02:02 PM
And make sure the lookup definiton will do CIDR matches ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2022 07:08 PM
Karma given to