Hi All, Appreciate some suggestions for a problem I'm facing. I have a search which outputs a few results, and what I want to do is, take each results _time and modify the earliest and latest times to be within +/- 1 minute of the events, and pass on a value from a certain field to a second search.  I have looked at other answers and I can see suggestions for using subsearches, and also the map command. The problem is that though, the events from the original search are not kept this way. With the map command you can pass specific fields from the first search to be kept using further evals, however this gets tedious when you want to keep as many fields as possible. Example: First search (checks for 'file create' events in sysmon:      index=sysmon EventId=11 file_name=test_file* file_name="test_file.txt"     Let's say this produces 3 results, with 3 different times and 3 different users. time 1 test_file.txt user 1 time 2 test_file.txt user 2 time 3 test_file.txt  user 3 Bear in mind there would be other fields too in the actual events. Then what I would like to do is, take time 1 for example, extend the time range by 1 minute either side, and use a second search to pass in the file name and user name to see where this file was downloaded from. Second search:     index=web file_name=test_file.txt earliest=(time1 - 1min) latest=(time1 + 1min) user=user1       This should give me an additional event with the corresponding file download (with url etc.) , whilst keeping the 3 events from the 1st search. So when you look at all events, you would have both the file download event from the web index, and the file create event from sysmon, while keeping all the fields and values from both events.    Appreciate any ideas. Thanks!         ... View more

Hi All, We are using Splunk Cloud with Enterprise Security and we have a strange issue with csv attachments that are being sent using the "Send email" alert action. The timestamp is quite different in the attached csv, compared to the search results and exported events. Timestamp in email attachment (csv): "Sat Jun 24 08:08:40 2023" Timestamp in search results: "2023-06-24 08:08:40" Timestamp in exported results (as csv): "2023-06-24T08:08:40.000+0000" Ideally we would like to have the same timestamp format as in the search results.  Grateful if anyone could shed some light on this - we could raise a ticket with Splunk support but we thought this might be quicker! Thank you! ... View more

Hi all, I'd be grateful if you could help me with this. I have read other similar questions but none of them seem to solve the problem. I have two searches: Search 1: index=main source=os Search 2: index=patch sourcetype=csv In search 1, there is a field that has workstation IDs, and the field is called 'ComputerName' In search 2, the same field exists but the name is 'extracted_Hosts' So what I want to do is look at both searches and get workstation IDs that exist in both, and then use these events to pipe into another function. Example: Search 1: index=main source=os | stats values(ComputerName) Result: W123456 W789123 W456789 W123321 W789987 Actual number of results is 30,271 Search 2: index=patch sourcetype=csv | stats values(extracted_Host) W123456 W154658 W789123 W546589 W789987 Actual number of results is 18,672 So the output I want is: W123456 W789123 W789987 Your help is much appreciated! Here is what I want to do with the data, grateful if you can help with this but I think I need to figure out the above before that. The search 1 (source=os) has a field called 'BuildNumber' which refers to the Windows 10 build version. The search 2 (index=patch) has a field called 'patchlevel' which is the same as 'BuildNumber', but they are different numbers, so for example a version of Windows 10 could have BuildNumber = 1703 and patchlevel = 15063. I want to use the data from the previous search which gives me the workstations that are common in both sources, and then get a count of each Build Number and patch level, and see if there is any discrepancy. Hope I've explained this well enough, let me know if I haven't! Thanks again. ... View more