Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About SplunkLunk
SplunkLunk
Path Finder
Member since:
06-23-2016
09-09-2021
Community Statistics
| Posts | 117 |
| Solutions | 0 |
| Karma Given | 6 |
| Karma Received | 5 |
| Member Since | 06-23-2016 |
Activity Feed
- Posted Re: How to Exclude Events on a Certain Day, within a Certain Time, and With a Specific User on Splunk Search. 09-05-2021 05:34 AM
- Posted Re: How to Exclude Events on a Certain Day, within a Certain Time, and With a Specific User on Splunk Search. 09-05-2021 03:36 AM
- Posted How to Exclude Events on a Certain Day, within a Certain Time, and With a Specific User on Splunk Search. 09-04-2021 07:50 PM
- Posted Taking Value of One Field, Adding Text, And Comparing Against Another Field on Splunk Search. 09-02-2021 07:54 AM
- Posted Re: Any way to monitor excessive write activity to a server? on Getting Data In. 10-30-2020 06:30 AM
- Posted Any way to monitor excessive write activity to a server? on Getting Data In. 10-29-2020 08:31 PM
- Posted Re: Average Failed Logins by Day of Week For Last 90 Days on Splunk Search. 09-14-2020 10:53 AM
- Posted Re: Average Failed Logins by Day of Week For Last 90 Days on Splunk Search. 09-14-2020 09:02 AM
- Posted Average Failed Logins by Day of Week For Last 90 Days on Splunk Search. 09-14-2020 08:36 AM
- Karma Re: How to Alert on Multiple Hosts Within sourcetype=httpevent Not Sending Events for somesoni2. 06-05-2020 12:50 AM
- Got Karma for Re: How can I generate a report on a weekly basis for the previous week broken down by day?. 06-05-2020 12:49 AM
- Karma Re: Best Way to Do Subsearch on Event Types and Have The Subsearch Check For Certain Threshold? for woodcock. 06-05-2020 12:48 AM
- Karma Re: Best Way to Do Subsearch on Event Types and Have The Subsearch Check For Certain Threshold? for woodcock. 06-05-2020 12:48 AM
- Karma Re: How Can I Assign a Text Value Based on a Specific Error Code/EventType? for niketn. 06-05-2020 12:48 AM
- Karma Re: How to edit my search to exclude events outside of certain times of the day? for DalJeanis. 06-05-2020 12:48 AM
- Karma Re: How to edit my search to exclude events outside of certain times of the day? for DalJeanis. 06-05-2020 12:48 AM
- Got Karma for In time range picker, is the time range "Last 1 Day" the same as "Yesterday"?. 06-05-2020 12:48 AM
- Got Karma for In time range picker, is the time range "Last 1 Day" the same as "Yesterday"?. 06-05-2020 12:48 AM
- Got Karma for In time range picker, is the time range "Last 1 Day" the same as "Yesterday"?. 06-05-2020 12:48 AM
- Got Karma for Re: How to prevent alerting on duplicate Windows reboot events that occur within a certain time period?. 06-05-2020 12:48 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
09-05-2021
05:34 AM
Thanks. I figured it out with your help. It turns out date_wday was being extracted as well. I just had the search term formed wrong. I ended up with the following: NOT ((date_hour>=1 date_hour<5) AND user=[username] AND date_wday=saturday)
... View more
09-05-2021
03:36 AM
Thanks, but how do I exclude Saturday as well as part of the condition? The "date_wday=saturday" doesn't work and that's why I did the eval to assign a day of the week in the search.
... View more
09-04-2021
07:50 PM
Greetings, I need to exclude events that happen every Saturday between 2 AM and 4AM only if they have a specific username. An authenticated scan runs that triggers a lot of logon attempts with a specific user account during that time. My search so far isn't working: index=[myindex] host=* sourcetype=linux_secure process=sshd ("tag::action"="success" OR "tag::action"="failure") | eval hour = tonumber(strftime(_time,"%H")) | eval dow = tonumber(strftime(_time,"%w")) | where (dow!=6 AND (hour!=2 OR hour!=3 OR hour!=4) AND user=[username]) However, as soon as I remove the username variable the search works fine. Can anyone help me figure out what's wrong? Thanks.
... View more
Labels
- Labels:
-
eval
09-02-2021
07:54 AM
Greetings, I want to exclude search results if a field contains a value compared against another field with additional text added. So it would look something like this: Field1=value Field2=Field1+[text] Field3=[value2] Exclude results where Field2=Field1+[text] and Field3=[value2] Can anyone tell me what the syntax in Splunk would be? Thanks.
... View more
10-30-2020
06:30 AM
Do you know what a search like that would look like? I can check and see if those types of events show in the indexes my servers are forwarding to. Thanks.
... View more
10-29-2020
08:31 PM
Greetings, Is there any way to query Splunk to see if host disk drives have excessive write activity vs. read activity? Trying to monitor for Ransomware infections. Lots of write activity might indicate files being encrypted/modified. I am a consumer of our Splunk environment so I don't have the ability to change the environment and I only have access to indexes for which my hosts reside. For example I don't have access to the _internal index. Thanks for any help.
... View more
Labels
- Labels:
-
index
-
other
-
universal forwarder
-
Windows
09-14-2020
10:53 AM
I want to do what the person in this old post tried to do but the solution there isn't working for me: https://community.splunk.com/t5/Splunk-Search/day-of-the-week-average/m-p/142904
... View more
09-14-2020
09:02 AM
Thanks for the response. But that search doesn't produce any results in the "avg" column. It's blank.
... View more
09-14-2020
08:36 AM
Greetings, The search I am using currently is giving me the total number of failed logins by day of the week for the last 90 days: | base search event="login_fail" | bin _time as date span=1d | eval weekday=strftime(_time, "%A") | stats count by weekday | stats avg(count) by weekday The problem is I want to find the daily average number of failed logins for the last 90 days. For example, in the search above is shows a total of 625 failed logins for Fridays. The last line of the search isn't providing any value so it's not needed. Is there a way to modify my search to get that average number instead of the total count for Fridays? For example, since there are ~12 Fridays over the last 90 days that would come out to ~52 failed logins on Fridays (12 * 52 is where I get the 625). Thanks for any help.
... View more
05-13-2020
08:24 PM
It jacked the formatting of the rex line up. I cut and paste exactly like you showed, but it doesn't look that way in my response.
... View more
05-13-2020
08:23 PM
Thanks for the help. Still producing same output with the following search. I guess I don't know enough about regex to troubleshoot. I was even going to regex101.com to test without any luck:
| tstats count as Counts where index=ahc_os source="var/log*" by host
| inputlookup append=t May_Linux_Hosts.csv
| rex mode=sed field=source "s/(\/var\/log)./\1/"
| stats values(Counts) as count by source host
| fillnull count
| where count=0
... View more
05-13-2020
01:51 PM
Thanks but I must be doing something wrong. I've added a lookup file with the format:
host, source
host1, /var/log*
host2, /var/log*
I've done your search:
| tstats count as Counts where index=[my index] source="/var/log*" by host
| inputlookup append=t May_Linux_Hosts.csv
| rex mode=sed field=source "s/\/\w+/\/*/3"
| stats values(Counts) as count by source host
| fillnull count
| where count=0
And the output I get is:
source, host, count
/var/log/, host1,0
/var/log/, host2,0
.
.
.
So it's like it's not treating the * as a wildcard. Any idea what I'm doing wrong?
... View more
05-13-2020
01:04 PM
Thanks. Will a wildcard in the CSV file work? Could the source be /var/log/*
... View more
05-13-2020
09:17 AM
Greetings,
I want to report on any Linux system that hasn't had an event in /var* for 30 minutes. I was going to use Source="/var/log/messages" but our admins told me that they want anything below /var to be reported on. I tried using the metadata command but that didn't get me anywhere. Does anyone have any suggestions? Thanks.
... View more
05-04-2020
09:40 AM
Thank you so much! That works great.
... View more
05-03-2020
06:54 PM
So your first part got me almost where I wanted. This is my search with your second line added:
index=[my_index] sourcetype=[my_sourcetype] source=[my_source]
| stats count as Count by APPLICATION_NAME USER_ID
| stats list(USER_ID) as USER_ID list(Count) as Count by APPLICATION_NAME
| search [|inputlookup app_file.csv|fields APPLICATION_NAME]
| lookup app_file.csv APPLICATION_NAME OUTPUT App_Name
| rename App_Name as "Application Name", USER_ID as "User ID"
| table "Application Name", "User ID", Count
| sort "Application Name", -Count
Now my search results show three columns. Application Name, User ID, and Count. It displays beautifully. One section for each application name with the second column being all the user IDs with events sorted alphabetically by user name for each application. Is there a way to sort by highest number of events first vs. alphabetically by user ID? I want the app owners to see who the heaviest users are without having to scan the list, sort an export, etc. I thought that's what the last line would do but no luck.
... View more
05-01-2020
05:58 AM
So I have a list of 11 applications and I want all the user IDs and number of logins attempts for each user over a specified period of time. But I only want the application name to show once. So the report would look something like:
AppNameTitle User ID Login Attempts
AppName1 User ID1 10
User ID 2 19
User ID 3 25
Right now my report looks like:
AppNameTitle User ID Login Attempts
AppName1 User ID1 10
AppName1 User ID 2 19
AppName1 User ID 3 25
My main search terms are:
| stats count(USER_ID) as count, values(USER_ID) as USER_ID by APPLICATION_NAME
Any advice? Thanks.
... View more
04-16-2020
09:10 AM
Greetings,
Our developers are logging what user views a particular web page and flag it via the "ID" field. If a user also runs a query within the web page during that session, it logs the query in a different table using the "URL_REQUEST_ID". The ID and the URL_REQUEST_ID are the same value. How can I join the two searches based on the value in the "ID" field in that first search I mentioned.
Basically I want to list the pages they viewed and any corresponding queries they ran in one report/output. Thanks for any help.
... View more
- Tags:
- splunk-enterprise
08-13-2019
08:19 AM
So according to our admins there isn't an easy way to nest alerts on the "Alerts" page. I have a number of departmental alerts and I just have to keep scrolling down to get to some of them. I start each alert using a naming convention so they are grouped on the page, but it's annoying to scroll through dozens of alerts. Is there a way to create a dashboard I can lump each area's alerts into a panel that I can click on? So alerts for "Marketing" in one panel. Alerts for "IT" in another panel. It would just be easier for me to navigate alerts for specific areas that way. Thanks.
... View more
- Tags:
- splunk-enterprise
04-09-2019
10:59 AM
So I took your query and I want to make sure I'm understanding the results properly. For the column marked max_15m, does that mean over the course of 24 hours there were "X" times it hadn't talked to Splunk for more than 15 mins? If so, I have a host in my results that shows "4" for max_15m column. That means there were four times for that host where it went more than 15 minutes without talking to Splunk?
If so, I could increase the interval to 30m and see if that drops to zero. I really want to get as few alerts as possible. So if it's "normal" for a host to go four times a day for more than 15 minutes without talking to Splunk, I set the max delay time in my alert to something like 20, 30, 40, etc. mins based on the tweaking I do with your query. Am I understanding that right?
... View more
