Activity Feed
- Posted Re: How can I determine which fields will work with tstats? on Splunk Search. 11-22-2024 08:26 AM
- Posted Re: How to round a percentage value in a pie chart to 1 decimal place? on Splunk Search. 07-16-2024 08:09 AM
- Got Karma for Re: How to search across all my data for any public IP addresses?. 09-02-2022 03:14 AM
- Posted Re: How to execute conditional DNS lookup in a search? on Splunk Search. 04-13-2021 11:27 AM
- Got Karma for Re: How to search across all my data for any public IP addresses?. 06-05-2020 12:48 AM
- Posted Re: How to search across all my data for any public IP addresses? on Splunk Search. 10-18-2019 07:22 AM
- Posted Re: Can I get a count of distinct values in multivalue field? on Splunk Search. 06-26-2019 03:30 PM
- Posted Re: How do I write the regex to extract a DNS domain field from my sample data? on Splunk Search. 06-25-2019 12:50 PM
- Posted Re: How do I write the regex to extract a DNS domain field from my sample data? on Splunk Search. 06-25-2019 11:48 AM
- Posted Re: How do I write the regex to extract a DNS domain field from my sample data? on Splunk Search. 06-25-2019 11:44 AM
Topics I've Started
No posts to display.
11-22-2024
08:26 AM
You could find them by trial and error process.
| tstats values(<field1>) as <field1>
values(<field2>) as <field2>
values(<field3>) as <field3>
WHERE index=<index> sourcetype=<sourcetype> by sourcetype
Fields that have data in the results means it is a useable field.
... View more
07-16-2024
08:09 AM
| makeresults
| eval field2count = split("n,y,n,n,y,n,n,y,n,n,n,y",",")
| mvexpand field2count
| stats count(eval(field2count="n")) as n count(eval(field2count="y")) as y count(field2count) as total
| eval n = round(n/total,3) *100, y = round(y/total,3) *100
| fields - total
| transpose
| rename column as field2count, "row 1" as total
... View more
04-13-2021
11:27 AM
| makeresults | eval src_host = split("8.8.8.8,dns.name,server_name, 172.217.9.206",",") | mvexpand src_host | foreach src_host [ eval tempip = if(match(src_host,"(\d{1,3}\.){3}\d{1,3}"), src_host, "") | lookup dnslookup clientip as tempip ] | eval src_host=if(match(clienthost,"\w"),clienthost,src_host)
... View more
10-18-2019
07:22 AM
2 Karma
Just adding to pgreer's answer
| makeresults
| eval ip_list="172.16.20.1,10.1.1.1,192.168.1.1,1.2.3.4,127.0.0.1,169.254.20.10"
| makemv ip_list delim=","
| mvexpand ip_list
| eval ip_type = case(match('ip_list',"172.(1[6-9].|2[0-9].|3[0-1].)[0-9]{1,3}.[0-9]{1,3}"),"1_private",match('ip_list',"(10.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3})"),"1_private",match('ip_list',"(192.168.[0-9]{1,3}.[0-9]{1,3})"),"1_private",match('ip_list',"(127.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3})"),"3_loopback",match('ip_list',"(169.254.[0-9]{1,3}.[0-9]{1,3})"),"2_apipa",1=1,"0_public")
| sort ip_type ip_list
... View more
06-26-2019
03:30 PM
Try this method.
This replicates your data
| makeresults
| eval data="foo;123,123,123:bar;123,456,789,789"
| makemv data delim=":"
| mvexpand data
| makemv data delim=";"
| eval id=mvindex(data,0), abc=mvindex(data,1)
| makemv abc delim=","
| table id, abc
This gets the results you're looking for. if you already have the data in separate events, only the last two lines are needed.
| makeresults
| eval data="foo;123,123,123:bar;123,456,789,789"
| makemv data delim=":"
| mvexpand data
| makemv data delim=";"
| eval id=mvindex(data,0), abc=mvindex(data,1)
| makemv abc delim=","
| stats count(eval(mvcount(abc))) as count by id, abc
... View more
06-25-2019
12:50 PM
Thanks for the assist.
... View more
06-25-2019
11:48 AM
Since the original post did not keep all the information I've updated this to reflect the correct statements and added one just in case you have additional characters in the name.
| rex field="dnsName" "(?<name_Host_Dns>\w+)\.(?<name_Domain_Dns>.*)"
| rex field="dnsName" "(?<name_Host_Dns>[a-zA-Z0-9-_]+)\.(?<name_Domain_Dns>.*)"
Optionally you can do this
| rex field="dnsname" "(?<dnsdomain>\..*)"
| eval dnshostname = replace('dnsname',dnsdomain',"")
| eval dnsdomain = replace(dnsdomain,"^.{1}","")
... View more
06-25-2019
11:44 AM
Like this:
(?\w+)\.(?.*)
... View more
