Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About gndivya
gndivya
Explorer
Member since:
05-03-2019
07-22-2021
Community Statistics
| Posts | 25 |
| Solutions | 0 |
| Karma Given | 1 |
| Karma Received | 2 |
| Member Since | 05-03-2019 |
Activity Feed
- Karma Re: How to get the data related to creation, modification, deletion of a particular index for gaurav_maniar. 06-05-2020 12:51 AM
- Got Karma for Wildcard * does not work with If or Case in Splunk. 06-05-2020 12:50 AM
- Got Karma for Unable to open lookup file from lookup editor app. 06-05-2020 12:50 AM
- Posted Re: how to group events based on specific conditions. on Splunk Search. 05-13-2020 10:24 PM
- Posted Re: Why results are not same when the query is executed for a large time range on Splunk Search. 05-13-2020 09:53 PM
- Posted Re: Why results are not same when the query is executed for a large time range on Splunk Search. 05-13-2020 03:06 AM
- Posted Why results are not same when the query is executed for a large time range on Splunk Search. 05-12-2020 07:10 AM
- Tagged Why results are not same when the query is executed for a large time range on Splunk Search. 05-12-2020 07:10 AM
- Tagged Why results are not same when the query is executed for a large time range on Splunk Search. 05-12-2020 07:10 AM
- Posted Re: How to display events which has logged at the same time as different events using tstats on Splunk Search. 05-12-2020 05:20 AM
- Posted How to display events which has logged at the same time as different events using tstats on Splunk Search. 05-12-2020 03:51 AM
- Tagged How to display events which has logged at the same time as different events using tstats on Splunk Search. 05-12-2020 03:51 AM
- Tagged How to display events which has logged at the same time as different events using tstats on Splunk Search. 05-12-2020 03:51 AM
- Posted Re: how to group events based on specific conditions. on Splunk Search. 05-11-2020 03:07 AM
- Posted how to group events based on specific conditions. on Splunk Search. 05-11-2020 01:41 AM
- Tagged how to group events based on specific conditions. on Splunk Search. 05-11-2020 01:41 AM
- Tagged how to group events based on specific conditions. on Splunk Search. 05-11-2020 01:41 AM
- Posted Re: How to create a regex to extract data from windows event? on Splunk Search. 03-22-2020 10:45 PM
- Posted Re: How to create a regex to extract data from windows event? on Splunk Search. 03-20-2020 07:45 AM
- Posted Re: How to create a regex to extract data from windows event? on Splunk Search. 03-20-2020 07:44 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
05-13-2020
10:24 PM
Hi to4kawa,
The above code worked. When the same query is being modified using a tstats search, I am not able to display all the events that happened at a specific point of time, hence the above code is not giving me the actual maximum attempts, instead, it is giving me the maximum attempts of the data coming.
At time T1, 2 events has occurred but I am able to see only one when the tstats query is used.
How to get the max_attempts in this case.
Query used.
| tstats summariesonly count values(Authentication.action) as Authentication.action values(Authentication.src) as Authentication.src values(Authentication.signature_id) as Authentication.signature_id values(Authentication.signature) as Authentication.signature from datamodel=Authentication where (Authentication.action=success OR Authentication.action=failure ) by _time Authentication.user Authentication.dest span=1s
| drop_dm_object_name("Authentication")
| sort 0 user _time dest
| streamstats count as attempts sum(count) as total_count min(count) as min_count by user dest action reset_on_change=true
Data
Time User Dest Count action attempts max_attempts total_count min_count
T1 U1 D1 2 success 1 5 2 2
T2 U1 D1 3 success 2 5 5 2
T3 U1 D1 2 failure 1 7 2 2
T4 U1 D1 3 failure 2 7 5 2
T5 U1 D1 2 failure 3 7 7 2
T6 U1 D1 3 success 1 6 3 3
T7 U1 D1 2 success 2 6 5 2
T8 U1 D1 1 success 3 6 6 1
I hope my question is clear.
... View more
05-13-2020
09:53 PM
If my expectations are incorrect, then the same result should be displayed even though the time range is larger. But that is not happening in my case. Narrow time range actual results, expand the time range, no results. How to mitigate this?
... View more
05-13-2020
03:06 AM
When the time range is more, the results which I am expecting is not being displayed. Instead some other results are being drawn. But when the time range is very specific, I am able to get the results which I am expecting.
... View more
05-12-2020
07:10 AM
I have a query which is using streamstats, eventstats, stats, and transaction (trying to achieve brute force attack logic). It displays the search results when I give the proper date range (from 05/12/2020 at 17:30:00 to 05/12/2020 at 17:35:00 which is just 5 mins). But the same search doesn't provide me with the same search result but produces another search result when the date range is given like from 05/12/2020 at 17:20:00 to 05/12/2020 at 17:45:00 which is near to 25 mins.
Please let me know why this happens?
Query used is.
index=wineventlog_sec* tag=authentication (action=success OR action=failure)
| table _time user dest EventCode action
| sort 0 user _time dest
| streamstats count as attempts by action user dest reset_on_change=true
| streamstats count(eval(attempts=1)) as sessions by user dest
| eventstats count as max_attempts by sessions user dest
| eval success_session=(sessions-1)
| eventstats max(eval(case(match(action,"failure") AND attempts=1 AND max_attempts>50 ,_time))) as lastFailed max(eval(case(match(action,"success") AND attempts=1,_time))) as lastSuccess by action user dest success_session
| search attempts=1
| transaction user dest maxspan=1m maxevents=2
| search lastFailed=* AND lastSuccess=*
... View more
05-12-2020
05:20 AM
list is not supported in tstats and split by _raw is not working.
... View more
05-12-2020
03:51 AM
Hi,
There are 3 events that have been logged exactly at the same time say 2020-04-28 15:39:34.
When the search query is using index, the 3 events get displayed separately. But when I am using tstats command, it is combining all the 3 events as all of them have logged at the same time.
Is there any way to show these events as separate events while using tstats command?
Queries that I have used for fetching the data.
| tstats count values(Authentication.action) as Authentication.action values(Authentication.src) as Authentication.src values(Authentication.signature_id) as Authentication.signature_id values(Authentication.signature) as Authentication.signature from datamodel=Authentication where (Authentication.action=success OR Authentication.action=failure ) by _time Authentication.user Authentication.dest span=1s
The count column shows me exactly how many times the event has occurred at that particular time. So instead of this, is there any way all the events get displayed separately?
Thanks in advance.
... View more
05-11-2020
03:07 AM
In the second table which I have provided, max_attempts gives the maximum of attempts field wrt success or failure. If there is a failure attempt present after n number of success attempts, then max_attempts for the first success group is n and similarly next group which is failure should have the maximum number of attempts.
I hope my explanation is clear
... View more
05-11-2020
01:41 AM
Hi,
I want to group few events based on the success and failure action for a particular user and dest as below. Kindly help in writing a query like this.
Using streamstats I got things like below. Query which I have used here
index=wineventlog_sec* tag=authentication (action=success OR action=failure)
| table _time user dest EventCode action
| sort 0 _time user dest
| streamstats count as attempts by action user dest reset_on_change=true
Time User Dest action attempts
T1 U1 D1 success 1
T2 U1 D1 success 2
T3 U1 D1 failure 1
T4 U1 D1 failure 2
T5 U1 D1 failure 3
T6 U1 D1 success 1
T7 U1 D1 success 2
T8 U1 D1 success 3
How to get the max attempts performed for a particular group of user dest and action (all 3 should be present) like below.
Time User Dest action attempts max_attempts
T1 U1 D1 success 1 2
T2 U1 D1 success 2 2
T3 U1 D1 failure 1 3
T4 U1 D1 failure 2 3
T5 U1 D1 failure 3 3
T6 U1 D1 success 1 3
T7 U1 D1 success 2 3
T8 U1 D1 success 3 3
... View more
03-22-2020
10:45 PM
When I use this, I am getting all the data after "statement" like additional_information, user_defined_information, all other things. Please let me know what else can be done to get only the required information
... View more
03-20-2020
07:45 AM
@vnravikumar , This is working when used in a normal query, but I am not sure why the same regex is not working when it is used in inline field extractions. Could you please help me with this?
... View more
03-20-2020
07:44 AM
@to4kawa this worked when in a normal search query, I am not sure why the same regex is not working when it is used in inline field extractions. Could you please help me with this?
I want to know, what does that (?m) means at the beginning of the regex string. If possible, kindly let me know what document you refer to while creating regular expression.
... View more
03-20-2020
12:39 AM
I have an event code 33205 which comes from Windows application logs, for which field extraction is not happening eventhough Windows Add-on in installed.
To extract the statement field in the event, I am using the below regular expression
| rex field=_raw "statement:(?[\d\D]*[\n\s])additional"
which extracts the data till additional_information field. But there are extra spaces which are getting included while extracting like this
quote
EXEC %%Object(MultiName = @qualified_name).LockMatchID(ID = @tabid, Exclusive = 1, BindInternal = 0)
unquote
The extra spaces is not getting removed. Could you please help on this to write regex?
Sample event.
database_name:test
schema_name:dbo
object_name:Table_2
statement:EXEC %%Object(MultiName = @qualified_name).LockMatchID(ID = @tabid, Exclusive = 1, BindInternal = 0)
additional_information:
user_defined_information:
application_name:EUPTTOPDBS004\SQLNAV-test-test2-4
... View more
03-01-2020
11:36 PM
Hi,
I want to check when the index was created, modified or deleted from internal logs(also other details of this particular operation). Is there any way to query this data?
... View more
- Tags:
- splunk-enterprise
Labels
- Labels:
-
audit
01-29-2020
11:29 PM
We have a requirement to extract all the admin users and give the report on last day of the month. I have the query to extract the admin users list from REST api which is currently triggered at 28th of every month considering Feb month.
Please help to write a cron for last day every month. If cron is not there (as I saw in many questions) please let me know what else can I write in my query to get the requirement complete.
... View more
01-20-2020
02:18 AM
| makeresults
| eval my_multival="4726,4722,4726"
| makemv tokenizer="([^,]+),?" my_multival
this is the sample one i m using... that result id will contain data like below
4726
4726
4722
4726
4726
4726
4722
4726
... View more
01-20-2020
01:52 AM
I have a multivalue field which is got from a stats function. using mvfind function, how to write regex for this.
query...|stats list(result_id) by user
result_id is a multivalue field and it contains data like
r_id1
r_id2
r_id3
r_id4
I want to write a regex which matches as below
r_id2
r_id3
but the below eval doesnt work.
eval n=mvfind(result_id,"r_id2\nr_id3")
OR
eval n=mvfind(result_id,"r_id2\sr_id3")
please help.
... View more
- Tags:
- splunk-enterprise
01-14-2020
02:02 AM
Hi,
I have 2 sets of data as below.
Set1
User1 dest1 Time1 EventCode-4722
User1 dest1 Time2 EventCode-4726
User1 dest1 Time3 EventCode-4722
User1 dest1 Time4 EventCode-4726
User1 dest1 Time5 EventCode-4722
Set2
User2 dest2 Time1 EventCode-4726
User2 dest2 Time2 EventCode-4722
User2 dest2 Time3 EventCode-4726
I need to get all the complete set (includes other fields) of data which starts with Event code 4722 and ends with 4726. How can I achieve this?
I want data as
set 1
User1 dest1 Time1 EventCode-4722
User1 dest1 Time2 EventCode-4726
set 2
User1 dest1 Time3 EventCode-4722
User1 dest1 Time4 EventCode-4726
set3
User2 dest2 Time2 EventCode-4722
User2 dest2 Time3 EventCode-4726
Please help. thanks in advance.
... View more
12-18-2019
02:35 AM
I have a CSV lookup present with 1000 rows as per the below query.
sourcetype="snow:cmdb_ci_service" | stats latest(*) as * by dv_name
If any field needs to be modified based on dv_name row, is it possible to do the changes ?
If yes, how to modify the data using the query?
... View more
- Tags:
- lookup
- modification
11-20-2019
01:56 AM
@gcusello,
This worked. Thanks.
... View more
11-20-2019
01:55 AM
@ekost,
Could you please explain the point - "The lookups have specific fields and requirements, a .csv structure, and may be populated manually or dynamically. " how to populate the lookup dynamically in a distributed environment, such as AWS?
... View more
11-13-2019
05:41 AM
Is there any XML tag present to resize the dashboard panels. I would like to have 2 panels which are of the same size (currently) to be resized as 1 small and another 1 large.
... View more
- Tags:
- splunk-cloud
11-13-2019
01:05 AM
1 Karma
I have Admin access, but whenever any of the lookup files is opened through Lookup Editor, it gives me a warning message saying that "The requested lookup file does not exist". But when I open the lookup through a search query, I am able to get the details present in the lookup. Below search query is used.
|inputlookup append=t LookupName.
Lookup has Read permission to everyone and there is no write permission mentioned for any of the users. Also, even if I give write permission to Admin Role, I am still unable to open the lookup through Lookup Editor App.
... View more
11-07-2019
05:10 AM
Is it possible to get the list of all indexes along with the userID who has created that index with the time of creation?
I have tried with | rest /services/data/indexes, where index details (cold, hot, thawed paths) are available but not the creation timestamp and user id.
... View more
11-04-2019
08:36 AM
1 Karma
There are 3 different values for one particular field say field1 - "INTPAY\ITS\TD_EFT\can contain other data", "INTPAY\TD_EFT\can contain other data", "Expense_EFT\can contain other data"
Below eval statement doesn't work:
| eval Flag=case((field1 like "INTPAY%TD_EFT%" OR field1 like "INTPAY%ITS%TD_EFT%") ,"1",(field1 like "Expense_EFT%"),"2",1=1,"3")
How can I write a search to get the below requirement:
If field1 is "INTPAY\ITS\TD_EFT\can contain other data" or "INTPAY\TD_EFT\can contain other data", flag should be 1, if field1 is "Expense_EFT\can contain other data", flag should be 2. If none matches, flag should be 3.
Have tried with INTPAY\TD_EFT also.
Please help.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
07-22-2021
11:40 AM
|
