cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
dkadavis
Explorer
Member since: ‎06-25-2019
‎10-09-2023
Community Statistics
Posts 6
Solutions 0
Karma Given 0
Karma Received 2
Member Since ‎06-25-2019
Activity Feed
Topics I've Started
No posts to display.
View All

Re: How to execute conditional DNS lookup in a sea...

by in Splunk Search
‎04-13-2021 11:27 AM
‎04-13-2021 11:27 AM
| makeresults | eval src_host = split("8.8.8.8,dns.name,server_name, 172.217.9.206",",") | mvexpand src_host | foreach src_host [ eval tempip = if(match(src_host,"(\d{1,3}\.){3}\d{1,3}"), src_host, "") | lookup dnslookup clientip as tempip ] | eval src_host=if(match(clienthost,"\w"),clienthost,src_host) ... View more

Re: How to search across all my data for any publi...

by in Splunk Search
‎10-18-2019 07:22 AM
2 Karma
‎10-18-2019 07:22 AM
2 Karma
Just adding to pgreer's answer | makeresults | eval ip_list="172.16.20.1,10.1.1.1,192.168.1.1,1.2.3.4,127.0.0.1,169.254.20.10" | makemv ip_list delim="," | mvexpand ip_list | eval ip_type = case(match('ip_list',"172.(1[6-9].|2[0-9].|3[0-1].)[0-9]{1,3}.[0-9]{1,3}"),"1_private",match('ip_list',"(10.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3})"),"1_private",match('ip_list',"(192.168.[0-9]{1,3}.[0-9]{1,3})"),"1_private",match('ip_list',"(127.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3})"),"3_loopback",match('ip_list',"(169.254.[0-9]{1,3}.[0-9]{1,3})"),"2_apipa",1=1,"0_public") | sort ip_type ip_list ... View more

Re: Can I get a count of distinct values in multiv...

by in Splunk Search
‎06-26-2019 03:30 PM
‎06-26-2019 03:30 PM
Try this method. This replicates your data | makeresults | eval data="foo;123,123,123:bar;123,456,789,789" | makemv data delim=":" | mvexpand data | makemv data delim=";" | eval id=mvindex(data,0), abc=mvindex(data,1) | makemv abc delim="," | table id, abc This gets the results you're looking for. if you already have the data in separate events, only the last two lines are needed. | makeresults | eval data="foo;123,123,123:bar;123,456,789,789" | makemv data delim=":" | mvexpand data | makemv data delim=";" | eval id=mvindex(data,0), abc=mvindex(data,1) | makemv abc delim="," | stats count(eval(mvcount(abc))) as count by id, abc ... View more

Re: How do I write the regex to extract a DNS doma...

by in Splunk Search
‎06-25-2019 12:50 PM
‎06-25-2019 12:50 PM
Thanks for the assist. ... View more

Re: How do I write the regex to extract a DNS doma...

by in Splunk Search
‎06-25-2019 11:48 AM
‎06-25-2019 11:48 AM
Since the original post did not keep all the information I've updated this to reflect the correct statements and added one just in case you have additional characters in the name. | rex field="dnsName" "(?<name_Host_Dns>\w+)\.(?<name_Domain_Dns>.*)" | rex field="dnsName" "(?<name_Host_Dns>[a-zA-Z0-9-_]+)\.(?<name_Domain_Dns>.*)" Optionally you can do this | rex field="dnsname" "(?<dnsdomain>\..*)" | eval dnshostname = replace('dnsname',dnsdomain',"") | eval dnsdomain = replace(dnsdomain,"^.{1}","") ... View more

Re: How do I write the regex to extract a DNS doma...

by in Splunk Search
‎06-25-2019 11:44 AM
‎06-25-2019 11:44 AM
Like this: (?\w+)\.(?.*) ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎10-09-2023 03:58 PM
Karma from
View All