Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About vigneshit
vigneshit
New Member
Member since:
09-13-2019
06-05-2020
Community Statistics
| Posts | 8 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 0 |
| Member Since | 09-13-2019 |
Activity Feed
- Posted Re: How to extract a value from a field by ignoring some of the characters? on Knowledge Management. 02-20-2020 03:17 PM
- Posted Re: How to extract a value from a field by ignoring some of the characters? on Knowledge Management. 02-20-2020 02:11 PM
- Posted Re: How to extract a value from a field by ignoring some of the characters? on Knowledge Management. 02-20-2020 02:08 PM
- Posted How to extract a value from a field by ignoring some of the characters? on Knowledge Management. 02-19-2020 04:40 PM
- Tagged How to extract a value from a field by ignoring some of the characters? on Knowledge Management. 02-19-2020 04:40 PM
- Posted Re: 1: Need to find Average number of vpn users in weekday and weekend on Splunk Enterprise Security. 09-14-2019 01:42 PM
- Posted Re: 1: Need to find Average number of vpn users in weekday and weekend on Splunk Enterprise Security. 09-14-2019 09:44 AM
- Posted Re: 1: Need to find Average number of vpn users in weekday and weekend on Splunk Enterprise Security. 09-14-2019 09:40 AM
- Posted 1: Need to find Average number of vpn users in weekday and weekend on Splunk Enterprise Security. 09-13-2019 04:24 PM
- Tagged 1: Need to find Average number of vpn users in weekday and weekend on Splunk Enterprise Security. 09-13-2019 04:24 PM
- Tagged 1: Need to find Average number of vpn users in weekday and weekend on Splunk Enterprise Security. 09-13-2019 04:24 PM
- Tagged 1: Need to find Average number of vpn users in weekday and weekend on Splunk Enterprise Security. 09-13-2019 04:24 PM
Topics I've Started
02-20-2020
03:17 PM
Hi I used where and replace command.
but it takes more time to run the query.
Is there any other way I can make this query still efficient:
index=sec_proxy_web user_work_country="in" user_bunit="rbei/bsd1" sourcetype="bluecoat:proxysg:access:syslog"
|where category!="Content Delivery Networks" | where category!="Chat (IM)/SMS"
|where category!="Web Ads/Analytics"
| where NOT url like("%edge-chat%")
|where NOT url like("%mtalk.google.com%")
|where NOT url like("%accounts.google%")
|where NOT url like("%doubleclick%")
|where NOT url like("%googlevideo.com%")
|where NOT url like("%clients%")
|where NOT url like("%googlesyndication%")
|where NOT url like("%adservice%")
|where NOT url like("%gstatic%")
|where NOT url like("%api%")
|where NOT url like("%gravatar%")
|where NOT url like("%youboranqs01%")
|replace tcp://* WITH * IN url
|replace http://* WITH * IN url
|replace https://* WITH * IN url
| stats count by url | sort -count
... View more
02-20-2020
02:11 PM
EG 1 and 3 works fine
But eg2 i get
error : Error in 'rex' command: Encountered the following error while compiling the regex '([chpt]://)(?.*)': Regex: unrecognized character after (? or (?-.
I wanted to write a rex where it can ignore http https and tcp the above expression looks correct but i dont know why splunk throws above error.
Couldnt understand this "rex to extract then drop old field and rename new (can't just extract and overwrite):"
... View more
02-20-2020
02:08 PM
This works but i cannot use it for realtime and for a particular user in drilldown later.
... View more
02-19-2020
04:40 PM
The first query I run is
index=sec_proxy_web sourcetype="bluecoat:proxysg:access:syslog" | top 10 url
I have web proxy log and a field url but in url it contains tcp, http and some ad blocker sites which i want to remove by entering those site.
for eg :
1. I need to remove the site edge-chat.facebook.com,
2. I just need to remove tcp or http or https if its present in that url
I tried few rex but i was not able to do it.
can you please help me how to get an output without this characters.
... View more
- Tags:
- splunk-enterprise
09-14-2019
01:42 PM
Hi I just was cross verifying the 2 search's found that the results are not same its different for a same time duration. Do you have any insight on why is there a mismatch since both of them run the same query but in different manner?
1: Query output
weekend_or_not avg_count
weekend 13399.5
work day 40337.2
2:query
weekend_or_not avg_count
weekend 6130.5
workday 6662
... View more
09-14-2019
09:44 AM
Thanks alot it worked.
But I could not understand the working of 2nd search query
| gentimes start=-7
| eval random_user_count = random()%5000 + 4000
| eval date_wday = strftime(starttime, "%A")
| eval _time = starttime
How you selected the random function and the number 5000/4000? So if there is an explanation it would be great for my Understanding Thank YOU.
... View more
09-14-2019
09:40 AM
Thanks it worked..
But I could not understand the 2nd search query how you got the random function and how you decided the number 5000 and 4000 if any explanation would be there it would be great:)
| gentimes start=-7
| eval random_user_count = random()%5000 + 4000
| eval date_wday = strftime(starttime, "%A")
| eval _time = starttime
... View more
09-13-2019
04:24 PM
Curerntly using the search :
1:: index=sec_vpn sourcetype="cisco:acs" action=success date_wday!=sunday OR date_wday!=saturday | dedup UserName
| stats dc(UserName) by date_wday
which is giving me number of users on per day basis .
output being :
date_wday dc(UserName)
friday 43996
monday 3055
thursday 19615
tuesday 8865
wednesday 12808
Need to find the average number of user on weekday.
2:: index=sec_vpn sourcetype="cisco:acs" action=success date_wday=sunday OR date_wday=saturday | dedup UserName
| stats dc(UserName) by date_wday
Need to find the average number of user on weekend.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:04 AM
|
