Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About ZacEsa
ZacEsa
Communicator
Member since:
07-13-2016
06-05-2020
Community Statistics
| Posts | 68 |
| Solutions | 3 |
| Karma Given | 15 |
| Karma Received | 2 |
| Member Since | 07-13-2016 |
Activity Feed
- Karma Re: How do I use a value from a different field in drilldown? for harsmarvania57. 06-05-2020 12:50 AM
- Karma Re: How do I use a value from a different field in drilldown? for niketn. 06-05-2020 12:50 AM
- Karma Re: How do I exclude fields with certain values from a table when the event has multiple values for the same fields? for DalJeanis. 06-05-2020 12:49 AM
- Karma Re: Join not working for two different searches for MuS. 06-05-2020 12:48 AM
- Karma Re: How to count similar events per 5 minutes in a 60 minute search? for sundareshr. 06-05-2020 12:48 AM
- Karma Re: How to compare values of a field in a transaction? for lguinn2. 06-05-2020 12:48 AM
- Karma Re: How to compare values of a field in a transaction? for sundareshr. 06-05-2020 12:48 AM
- Karma Re: How do I filter out results of a search AFTER the search? for ddrillic. 06-05-2020 12:48 AM
- Karma Re: How do I filter out results of a search AFTER the search? for sundareshr. 06-05-2020 12:48 AM
- Karma Re: How do I find all the possible fields from our raw logs for a particular index, excluding internal fields generated by Splunk? for muebel. 06-05-2020 12:48 AM
- Karma Re: How do I show other fields after top? for woodcock. 06-05-2020 12:48 AM
- Karma Re: How do I add days taken from a field to a date field? for javiergn. 06-05-2020 12:48 AM
- Got Karma for Re: Join not working for two different searches. 06-05-2020 12:48 AM
- Got Karma for How do I show other fields after top?. 06-05-2020 12:48 AM
- Karma Re: Replace a character with a linebreak in table results for Ayn. 06-05-2020 12:46 AM
- Karma Re: Add newline into table cell? for nagendra008. 06-05-2020 12:46 AM
- Karma Re: Add newline into table cell? for marcellodesales. 06-05-2020 12:46 AM
- Posted Re: How do I use a value from a different field in drilldown? on Dashboards & Visualizations. 01-10-2019 12:09 AM
- Posted Re: How do I use a value from a different field in drilldown? on Dashboards & Visualizations. 01-09-2019 12:50 AM
- Posted Re: How do I use a value from a different field in drilldown? on Dashboards & Visualizations. 01-08-2019 05:55 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
12-15-2020
05:58 AM
1 Karma
The links to the 'other' questions/answers do not work anymore. But what does work is: | eval n=replace(my__field, "___", "
") So literally add a newline to your code. It is silly to need to do it in this way. Why are \n and similar characters as replacements not supported, while they are supported in the pattern. The replace function should also allow other options like replace only one occurrence or all occurrences (learn a bit from the Perl language I guess...)
... View more
08-15-2020
11:13 AM
1 Karma
thanks! this worked great for me as well. (nagendra008 's split method , not the css way) (i didnt want to mess with CSS nor make a new app for a quick table). if this helps others, i used the blank space as the linebreak / replace char; | eval dateonly=strftime(_time, "%m-%d %A %I:%M%P") | eval dateonly= split(dateonly," ") so i ended up with exactly what i wanted 🙂 - vs this before 😐 (unrelated- what is up with the login process for the forums here? its now login on page 1, pw on page2, which breaks chrome and FF password save/remember. maybe they are doing this to fight off bruteforce/bots? etherway its pretty annoying as i now have to lookup + type both 😞
... View more
01-10-2019
12:09 AM
Hadn't tried it but I'll accept your answer and use Device_Name for now. Thanks!
... View more
12-12-2017
02:08 AM
Unaccepting as answer as it seems indicatorName="DETECTED_SUSPECT_APP" is not showing if I select a wider time range. Not sure what the issue is.
... View more
10-18-2017
08:13 PM
Nevermind, found out the issue. Splunk doesn't like it when my field name is threatInfo.indicators{}.indicatorName . Had to rename it to something else and then it worked. Thank you! Will mark your answer as correct now.
... View more
07-20-2017
05:15 PM
I found out what the issue is already.
I added the inputs and the API key and connect ID through my Splunk master web UI, and then I copied the generated configuration files to the deployment-apps folder to be pushed to my heavy forwarder. However, this would not work as the encryption would be different.
Note: The app encrypts the API key and connector ID.
To solve this issue, I removed the deployed app so that the forwarder will not pull the apps from the master, then I enabled the webserver on the heavy forwarder using ./splunk enable webserver , installed the app directly to the heavy forwarder and configured from the heavy forwarder web UI. After that, I disabled the webserver using ./splunk disable webserver to save resources.
... View more
12-12-2016
10:21 PM
I don't know what happened but, I stopped the splunk service, I re-ran the set_permissions.sh and I started the splunk service(while still in root) and now it's working.
Haven't tried to stop and start the splunk service using splunk user to see if that was the issue.
I'll leave it as it is and I'll mark your question as the answer since you did answer my question on how to uninstall the Independent Stream Forwarder. Haha.
... View more
08-30-2016
07:43 PM
Here's what I did,
I duplicated whatever field extractions I had in my props.conf file. E.g.;
Props.conf before duplication.
[oldsourcetype]
(?P<somefieldextraction>.*?)
Props.conf after duplication.
[oldsourcetype]
(?P<somefieldextraction>.*?)
[newsourcetype]
(?P<somefieldextraction>.*?)
This way, the old indexed data will still have the field extractions and I can search for the fields from both old and new sourcetype.
After doing this, I edited my inputs.conf to include sourcetype = newsourcetype on my monitors so that they use the new sourcetype.
... View more
08-24-2016
09:19 PM
I've got it to start working but, I'm having a peculiar issue. When I use where ((acduser!="user1" OR acduser!="user2") AND rules="After Office Hours") it's still showing events which are "After Office Hours" AND if user is user1 or user2. From the above where, shouldn't it show "After Office Hours" if user is NOT user1 or user2?
... View more
08-17-2016
06:52 PM
Here's what I did. I took part of the two answers on this question and came up with the solution.
mysearch
| transaction devicename maxspan=5m
| eval transaction_period=strftime(_time,"%H%M")
| eval nighttime=if(transaction_period>=1800 OR transaction_period<=0830, "After Office Hours", "")
| eval attemptcount=if(eventcount>1, "Multiple Attempts", "")
| eval srccount=if(mvcount(srcip)>1, "Multiple Sources", "")
| eval hits=nighttime . "," . attemptcount . "," . srccount
| eval hits=split(hits, ",")
Explanation;
Line 3 takes the hours and minutes from the time.
Line 4 checks if the 24hour time is between 1800 and 0830. If it is, output will be After Office Hours else, it will be blank.
Line 5 checks if the count within the 5 minutes of transactions is more than 1, if it is, output will be Multiple Attempts else, it will be blank.
Line 6 checks if there are multiple source IPs in the transaction. If there is, output will be Multiple Sources else, it will be blank.
Line 7 combines all the outputs into a single field so that I can show it in one field. If used without Line 8, it will show as After Office Hours,Multiple Attempts, Multiple Sources if all hits are fulfilled.
Line 8 splits by using "," as a delimiter so, the output will be on separate lines as such;
After Office Hours
Multiple Attempts
Multiple Sources
If you are wondering why I'm using "" instead of null() , it's because if I use null() , when I combine the fields, it will show nothing even if only one of the field is null() .
... View more
08-08-2016
12:11 AM
Thanks! It works! Can you edit your answer and I'll accept it.
... View more
08-04-2016
06:28 PM
Thanks! But I just fear the rex conflicting with each other, regardless that the formats for the logs of the different indexes are different. Eventually I will do a permanent field extraction instead of doing multiple rex in a single search. Currently I'm just still testing it out.
... View more
07-21-2016
01:34 AM
I meant to put "+countdown@d" instead of "+30d@d"
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:04 AM
|
Karma given to
