Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About eFlea
eFlea
New Member
Member since:
12-14-2010
06-05-2020
Community Statistics
| Posts | 4 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 0 |
| Member Since | 12-14-2010 |
Activity Feed
- Posted Re: How can I extract specific IP addresses from this multiline event? on Splunk Search. 05-02-2011 03:42 PM
- Posted Re: How can I extract specific IP addresses from this multiline event? on Splunk Search. 05-02-2011 02:33 PM
- Posted How can I extract specific IP addresses from this multiline event? on Splunk Search. 05-02-2011 01:22 PM
- Tagged How can I extract specific IP addresses from this multiline event? on Splunk Search. 05-02-2011 01:22 PM
- Tagged How can I extract specific IP addresses from this multiline event? on Splunk Search. 05-02-2011 01:22 PM
- Tagged How can I extract specific IP addresses from this multiline event? on Splunk Search. 05-02-2011 01:22 PM
- Posted How do I search for all events occuring 24 hours prior to a variable time? on Splunk Search. 12-14-2010 12:55 AM
- Tagged How do I search for all events occuring 24 hours prior to a variable time? on Splunk Search. 12-14-2010 12:55 AM
- Tagged How do I search for all events occuring 24 hours prior to a variable time? on Splunk Search. 12-14-2010 12:55 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 |
05-02-2011
03:42 PM
This was close, but didn't work quite correctly. I suspect that lines like "Login failed, Invalid password; User:timg" messed up the rex parsing, and left a lot of events as multiline events. This led to a number of IP addresses being left out of the results.
... View more
05-02-2011
02:33 PM
This worked great. My previous attempts at using rex only gave the first match. Thanks for the help!
... View more
05-02-2011
01:22 PM
I'm trying to generate a list of all IP addresses from all events where the user "timg" has a login failure.
I have hundreds of multiline events that look generally like this single event:
Mar 17, 2010 14:36:32 PM: LOGIN SUCCESS - USER:bobb IP:153.168.134.131
... 56 lines omitted ...
Mar 17, 2010 16:44:13 PM: LOGIN SUCCESS - USER:edk IP:211.219.95.138
Mar 17, 2010 16:44:14 PM: Login failed, Invalid password; User:timg
Mar 17, 2010 17:11:14 PM: LOGIN FAILURE - USER:timg IP:149.117.157.158
Mar 17, 2010 17:14:27 PM: LOGIN SUCCESS - USER:johnc IP:167.182.193.115
Mar 17, 2010 17:18:56 PM: LOGIN SUCCESS - USER:carlk IP:221.140.227.28
Mar 17, 2010 17:27:43 PM: Login failed, Invalid password; User:timg
Mar 17, 2010 17:27:43 PM: LOGIN FAILURE - USER:timg IP:53.37.39.27
Mar 17, 2010 18:14:11 PM: Login failed, Invalid password; User:melb
Mar 17, 2010 18:14:11 PM: LOGIN FAILURE - USER:melb IP:127.197.143.245
For this event, the output I'm looking for would be the following two IP addresses:
149.117.157.158
53.37.39.27
This would be relatively easy if each line in the event was correctly parsed as a separate event, with fields like "Date" "Login Status" "User Name" and "IP Address". Unfortunately, I only have user privileges on this Splunk instance, so I cannot create any configuration files to pre-parse the event.
Can someone please provide some suggestions on how to accomplish this using only the search app?
... View more
12-14-2010
12:55 AM
I'm running Splunk v4.1.5, and I'm trying to specify a time range in my search so that I can find events within a certain range prior to a given time.
For example, lets say I want to search for events occurring during the 24 hours prior to 10/07/2010:17:38:00. I cannot determine the correct syntax for this search.
Specifying the "earliest" date as "10/06/2010:17:38:00" seems to be an unsatisfactory solution, because I intend to determine the "latest" value using a subsearch, making the "latest" time a variable value.
My attempt at a search query that does this looks like:
' desthostname="www.google.com" earliest=-24h latest="10/07/2010:17:38:00" '
However, executing this search gives:
" Error in 'UnifiedSearch': Unable to parse the 'Invalid time bounds in search: start=1292201255 > end=1286498280' search. "
This error seems to indicate that the relative "earliest" search term seems to be tied to the current time, not 10/07/2010:17:38:00, which is what I want.
How can I create a search query that allows me to specify a relative time range that is tied to an arbitrary time? If this isn't possible, is there a way to calculate a non-relative time value that is equivalent to 24 hours before my "latest" time?
... View more
- Tags:
- search-help
- time
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:02 AM
|
