Activity Feed
- Got Karma for Pie chart displaying "other(n)" and "OTHER" fields.. 06-05-2020 12:49 AM
- Got Karma for Individual Permissions for App. 06-05-2020 12:49 AM
- Posted Combined Pivots on Reporting. 03-01-2019 07:08 AM
- Posted _internal Index not indexing application log on Monitoring Splunk. 01-31-2019 01:09 AM
- Posted Re: Lookup match on Splunk Search. 02-08-2018 01:04 AM
- Posted Re: Lookup match on Splunk Search. 02-08-2018 12:43 AM
- Posted Re: Lookup match on Splunk Search. 02-08-2018 12:40 AM
- Posted Re: Lookup match on Splunk Search. 02-06-2018 11:59 PM
- Posted Re: Lookup match on Splunk Search. 02-06-2018 05:02 AM
- Posted Re: Lookup match on Splunk Search. 02-06-2018 02:17 AM
- Posted Re: Lookup match on Splunk Search. 02-06-2018 02:09 AM
- Posted Lookup match on Splunk Search. 02-06-2018 01:12 AM
- Posted How to make Pivot-Like Transposed Table? on Reporting. 01-30-2018 06:29 AM
- Posted Re: Regex not accepted when searching on Splunk Search. 12-05-2017 04:42 AM
- Posted Regex not accepted when searching on Splunk Search. 12-05-2017 02:46 AM
- Tagged Regex not accepted when searching on Splunk Search. 12-05-2017 02:46 AM
- Posted Re: Combine a search and subsearch to create a table with all values on Splunk Search. 10-06-2017 04:16 AM
- Posted Re: Combine a search and subsearch to create a table with all values on Splunk Search. 10-06-2017 01:27 AM
- Posted Combine a search and subsearch to create a table with all values on Splunk Search. 10-05-2017 11:54 PM
- Tagged Combine a search and subsearch to create a table with all values on Splunk Search. 10-05-2017 11:54 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 |
03-01-2019
07:08 AM
Guys and girls,
once again I need your help 🙂
I am trying to run a query from a "flattened" set of events (KV Store) (pic1) and collect the result, a pivot-like resultset, with the grand total as a field (pic2) into an index.
I am struggling to get it done. I have a couple of questions:
1 - Is there any chance I can get the results displayed as JSON (inc. arrays)?
2 - I am not sure pic2 is the result of a count with many "by" criteria, but more like 3 values(xxx) and 4 count(xxx) collated. How can I achieve this?
Thanks.
... View more
01-31-2019
01:09 AM
Hi,
we created an app which writes its log into $SPLUNK_HOME/var/log/splunk
Event though the folder is being monitored with no blacklisted files, the application log is not being indexed. There is no mention to send_to_null_queue for this particular file so I am a bit confused.
You guys have any idea?
Thanks,
Robert
... View more
02-08-2018
12:43 AM
I am afraid not. I think the solution is probably achieved using a join instead of a lookup... I may be wrong, though.
... View more
02-08-2018
12:40 AM
Nope... if I put the mvexpand INSIDE the join subquery, it separates a hit per row, causing a 1-2-1 relationship, and if I put the mvexpand OUTSIDE the subquery, it shows all values in a single row, but flattened:
Inside:
User Hits
1 a
1 b
1 c
Outside:
User Hits
1 a b c
I would like:
1 a
b
c
... View more
02-06-2018
11:59 PM
Ok. I solved the issue with the items not in the lookup table by changing the join type from inner to left (duh, lol), but one last question: how can I have a multivalue field when I join searches? Currently there is a 1-2-1 relationship and I would like a 1-2-many...
Thank you 🙂
... View more
02-06-2018
05:02 AM
nope ... it is still discarding the rows which are NOT in the lookup table ... 😞
... View more
02-06-2018
02:17 AM
This works partially ... It only populates a table if there are hits in the lookup table. If there arent, the events are show in the "events" tabs, but no table is displayed, despite the fact I used the "table" command.
... View more
02-06-2018
02:09 AM
Unfortunately the lookup doesn't have a Period field, I have to calculate it AFTER the lookup 😞
... View more
02-06-2018
01:12 AM
Hi, I am trying to do the following:
1 - Search an index;
2 - For each result, search for matches in lookup table 1, based on the timestamp, in 1 hour bins.
For example:
Step 1 - [base search] | eval Period=day + ' - ' + hour
Result:
User Period
User1 Monday - 11
User2 Monday - 12
User3 Monday - 09
Step 2 - Match each user and period against a lookup and populate a list (can be multi-value) with hits
User Period Hits
User1 Monday - 11 No hits
User2 Monday - 12 05/02/18 12:02:45
05/02/18 12:44:13
User3 Monday - 09 05/02/18 09:28:15
How can I achieve this? The lookup table has only User and a Timestamp, the 'Period' field is calculated. How can I do the "...For each result on Step1, search the lookup table, and if hits found, list it alongside the row ...
Not sure if this is clear enough ...
Thank you!
... View more
01-30-2018
06:29 AM
Hi,
I have the following search and table:
index=xxxx
| bucket _time span=1h
| stats count as Access_Count by Account_Name, _time
Account_Name _time Access_Count
abc 2018-01-30 08:00 10
def 2018-01-30 08:00 20
def 2018-01-30 09:00 40
ghi 2018-01-30 08:00 30
Is there a way to transpose this table to fit the following format?
Account_Name 2018-01-30 08:00 2018-01-30 09:00
abc 10 0
def 20 40
ghi 0 30
I tried the transpose command but it only shows one header.
Thank you.
R
... View more
12-05-2017
04:42 AM
Hmmmm. Thank you! That is some improvement, but not quite yet what I had in mind .... Let me paste my entire query:
index=win_sec EventCode=4688 earliest=-1h@h latest=now New_Process_Name="C:\\Temp*" OR New_Process_Name="*AppData\\Local\\Temp*" OR #########
| eval Account_Name=mvindex(Account_Name,0)
| eval Account_Domain=mvindex(Account_Domain,0)
| table _time, host, Account_Domain, Account_Name, app, New_Process_Name
The ##### part should be where New_Process_Name is something like "C:\xxx.xxx" but not "C:\xxx\xxx.xxx"
Your query makes sense but it's also renaming the New_Process_Name field which is not my intention ... Any ideas?
... View more
12-05-2017
02:46 AM
Hi guys,
I am trying to get a regex to just match if a process has been run from the C drive, root folder.
I tried the following regex
regex New_Process_Name!="C:\\+[^\\\]+$"
but I still get all processes. The logic is simple: match only if there is no further "\" after "C:\".
What am I doing wrong?
... View more
- Tags:
- regex
10-06-2017
04:16 AM
The main issue is the latest event I am looking for is not in the main search index, but the sub-search one ... I ditched the sub-search and performed a join which gives me what I want, but it is very expensive ...
... View more
10-06-2017
01:27 AM
I managed to get what I want by using join, it does, take, however, a long time ... maybe there is a more "performant" way to achieve that?
... View more
10-05-2017
11:54 PM
Hi guys,
Quick question here: I have the following queries:
Q1: Sub-Search for userID
Q2: Main search, which provides username and department
Currently I can get a table with userID, Username & Department.
I would like to include in the result table each user's last access timestamp, but this field is in the sub-search index. What is the best approach to achieve that?
Table:
UserID | Username | Department | Last Access
Thank you.
... View more
09-28-2017
03:55 AM
Hi Giuseppe, I am afraid the query won't solve my problem.
I would like to see a pivot-like table, grouping which users access at what time (this can be a time bucket of 1h) and what users fail at what time (also a time bucket). This needs to be grouped by user. In the example above, the following data should be provided:
range Users OK Users Fail
00:00-01:00 robE
01:00 - 02:00 jonasH
02:00 - 03:00 robE, timN
It can also be multi-value...
R
... View more
09-28-2017
01:47 AM
Hi, I have the following table:
_time usernameOK
_time usernameFail
example:
2017-09-28 00:10:00 usernameOK=robE
2017-09-28 01:10:20 usernameFail=jonasH
2017-09-28 02:20:23 usernameOK=timN
2017-09-28 02:20:35 usernameOK=robE
2017-09-28 02:30:46 usernameOK=robE
Basically I am trying to get the count of BOTH usernameOK and usernameFAIL, by time (bucketed 1h) by user, akin to a pivot table but my count command is coming back with an error ... Any ideas?
Thank you.
... View more
09-26-2017
12:50 AM
Hi Giuseppe,
that's what I would like: The Events:
2017/09/26 09:44:05 Client logging in as robertE on DB1...
2017/09/26 09:45:54 Client logging in as on DB1...
ERROR:Missing login information
2017/09/26 08:58:02 Client logging in as jamesH on DB1...
Connect to Oracle failed:
ORA-01017: invalid username/password; logon denied
These 3 events should match these 2 fields:
usernameOK: robertE
usernameFail: jamesH and ""
I can manage the usernameFail regex:
rex "(?ms)Client logging in as (?<usernameFail>[^ ]*).*(?i)(ERROR |failed|ERROR:)"
but I am struggling to get the usernameOK because if I use:
rex "(?ms)Client logging in as (?<usernameFail>[^ ]*).*
it will also match the failed ones ....
The question is how can I match only the events where there is no ERROR or FAIL in the body?
... View more
09-25-2017
06:04 AM
Hi. That works, cool! What about the second use case, when the regex matches but the words "ERROR" or "failed" are not in the text??
Thank you!!!!
... View more
09-25-2017
05:39 AM
Nope. Dunno why but the original event has the "failed" string in the second line. Basically I am trying to create a field called AccessFail with the username when the regex matches AND the words "ERROR" or "failed" are present and another field called AccessOK when the regex matches but the words are not present. Does this make sense?
... View more
09-25-2017
05:10 AM
Hi,
I have the following event:
017/09/25 10:58:57 Client logging in as robertE on DB1...
Connect to Oracle failed:
ORA-01017: invalid username/password; logon denied
ERROR:User login failed!
I am ok to extract the username via regex:
... | rex field=_raw "Client logging in as "(?<usernameFail>\w+)
but how do I also match the "failed" word in the 2nd line in order to differentiate successful & failed logons?
Thanks! 🙂
... View more
09-08-2017
01:07 AM
Hi guys,
more like a generic question: how do you make sense of events which are not necessarily linked by a common field? For example, one of our applications produces logs that generate many events/lines such as:
[08/Sep/2017:09:20:20 +0200] Logon request from 10.10.10.3
[08/Sep/2017:09:20:21 +0200] Object 662737354 deleted
[08/Sep/2017:09:20:21 +0200] User X77262 trying to connect ...
[08/Sep/2017:09:20:22 +0200] Logon Denied: Bad password
So lines 1, 3 and 4 represent a logon request but I cannot "transact" them as there is no common field. Or can I?
In a perfect world session IDs would be introduced in the logs OR more complete log entries, but changing code is a massive undertaking ... How do you guys deal with scenarios such this one?
Thanks.
... View more
09-06-2017
04:15 AM
Hi,
yes, I would like some references if possible ... Thank you v much!!!! Really appreciate it.
... View more
09-04-2017
06:18 AM
1 Karma
I have an interesting scenario: senior members of our team would like access to some Information Security dashboards that I created within an app.
The question is: is there a way to grant read-only access to all indexes within this app but only to a few ones outside it? Additionally, I would like to prevent users from running ad-hoc searches when in the app - they should only be allowed to run dashboards.
To clarify:
User A has access to indexes 1, 2 and 3 when using App X and should run searches and dashboards with no issues. However, when using App Z, they should only be able to run dashboards. These dashboards are populated with data from indexes 1, 2, 3 ... 50.
Thank you,
Rob
... View more
