Activity Feed
- Karma Re: How can we track changes made in Correlation searches?? for richgalloway. 09-20-2020 01:09 AM
- Karma Re: How can we track changes made in Correlation searches?? for richgalloway. 09-20-2020 01:09 AM
- Karma Re: How can we track changes made in Correlation searches?? for Jhunter. 09-20-2020 01:09 AM
- Posted Re: How can we track changes made in Correlation searches?? on Splunk Enterprise Security. 09-16-2020 05:50 AM
- Posted How can we track changes made in correlation searches? on Splunk Enterprise Security. 09-16-2020 01:22 AM
- Tagged How can we track changes made in correlation searches? on Splunk Enterprise Security. 09-16-2020 01:22 AM
- Tagged How can we track changes made in correlation searches? on Splunk Enterprise Security. 09-16-2020 01:22 AM
- Tagged How can we track changes made in correlation searches? on Splunk Enterprise Security. 09-16-2020 01:22 AM
- Karma Re: running a search for 30 mins before and after the clicked time as drilldown for rmmiller. 06-05-2020 12:50 AM
- Got Karma for passing a query string as token. 06-05-2020 12:50 AM
- Posted Re: creating drilldown panel based on the selected value in $click.value$ on Splunk Enterprise Security. 12-04-2019 07:56 PM
- Posted creating drilldown panel based on the selected value in $click.value$ on Splunk Enterprise Security. 12-04-2019 06:49 PM
- Tagged creating drilldown panel based on the selected value in $click.value$ on Splunk Enterprise Security. 12-04-2019 06:49 PM
- Tagged creating drilldown panel based on the selected value in $click.value$ on Splunk Enterprise Security. 12-04-2019 06:49 PM
- Tagged creating drilldown panel based on the selected value in $click.value$ on Splunk Enterprise Security. 12-04-2019 06:49 PM
- Tagged creating drilldown panel based on the selected value in $click.value$ on Splunk Enterprise Security. 12-04-2019 06:49 PM
- Posted Re: running a search for 30 mins before and after the clicked time as drilldown on Dashboards & Visualizations. 11-18-2019 07:37 AM
- Posted Re: running a search for 30 mins before and after the clicked time as drilldown on Dashboards & Visualizations. 11-12-2019 05:10 AM
- Posted Re: running a search for 30 mins before and after the clicked time as drilldown on Dashboards & Visualizations. 11-11-2019 06:56 AM
- Posted running a search for 30 mins before and after the clicked time as drilldown on Dashboards & Visualizations. 11-11-2019 05:57 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 1 |
09-16-2020
05:50 AM
@richgalloway can we at-least get the info of who made the change, search name, time. I am not tracking the exact change made but who all made the changes.
... View more
09-16-2020
01:22 AM
I want to create a scheduled search that will track the changes made in content under Splunk Enterprise security app. If someone modifies correlation searches i want my query to capture it. Can this be achieved??
Please help.
... View more
Labels
- Labels:
-
correlation search
12-04-2019
07:56 PM
we have to execute different table commands based on the value of the sourcetype, this is just passing sourcetype. I want that if the value of $sourcetype$ is ! then table A runs in panel 2, if sourcetype is B then table B runs.
... View more
12-04-2019
06:49 PM
I want to create a drilldown panel that will run different searches based on the value selected i.e. $click.value$.
search for panel 1 is something like-
my query| top sourcetype
user will click on a sourcetype and then a new panel will come up and i want to give a table with relevant fields based on the selected sourcetype. For example, if the selected sourcetype is firewall, we need to give src dest session_id etc and if the sourcetype is mailbox we need to give sender_email_id receiver_email_id etc.
So, i want to execute table command in my panel 2 based on the sourcetype under consideration.
@somesoni2 @woodcock @gcusello @mayurr98 @rmmiller please help!!
... View more
11-18-2019
07:37 AM
@rmmiller just checked, works fine. good work!!
cheers
... View more
11-12-2019
05:10 AM
@rmmiller , your help is very much appreciated.
Can you please try to pass the search and open that in another search window. Because i am still facing the issue in getting the drilldown to open another search window with the following search:
index="tutorial" categoryId=strategy earliest=[|gentimes start=-1|eval new = relative_time($mycentertime$,"-1800")| return $$new] latest=[|gentimes start=-1|eval latest1 = relative_time($mycentertime$,"+1800")| return $$latest1] | top clientip
I tried all 3 though, but the "+" sign was still vanishing.
... View more
11-11-2019
06:56 AM
yes @rmmiller, the problem remains the same. The main issue is that when the search goes through the drilldown hammer, the "+" sign somehow vanishes.
... View more
11-11-2019
05:57 AM
Hi All,
I am trying to create a drilldown for my timechart, the idea is to drill down to the events that happened 30 mins before and after the clicked time (click.value in my case). I referred the answer
https://answers.splunk.com/answers/215176/subtracting-30-minutes-from-passed-drilldown-param.html?utm_source=typeahead&utm_medium=newquestion&utm_campaign=no_votes_sort_relev
Now this is helping me pass the earliest time, but when i use the same concept with the latest time i am not getting the desired result. Below is my current query:
index="tutorial" categoryId=strategy earliest=[|gentimes start=-1|eval new = relative_time($click.value$,"-1800")| return $$new] latest=[|gentimes start=-1|eval latest1 =($click.value$ + 1800)| return $$latest1] | top clientip
after passing through the drilldown pipeline the query changes to:
index="tutorial" categoryId=strategy earliest=[|gentimes start=-1|eval new = relative_time(1572728400.000,"-1800")| return $new] latest=[|gentimes start=-1|eval latest1 =(1572728400.000 1800)| return $latest1] | top clientip
If you look closely the + sign just vanished. I tried many ways to find a work around for that but wasn't able to. Please take a look and try to run the query once by yourself.
@Raghav2384 @RVDowning @somesoni2 @woodcock @gcusello @mayurr98 please help guys!!
... View more
10-30-2019
08:54 AM
Hi @Raghav2384
I tried this on my dashboard panel. It is picking the 30 mins prior time well but the latest time is getting calculated as now(). Below is my query, please let me know if i am making some mistake. I need plus minus 30 mins in my click.value(epoch time of point in my timechart).
index=wineventlog EventCode=4625 earliest=[|gentimes start=-1|eval new = relative_time($click.value$,"-1800")| return $$new]
Help me with the latest time.
Thanks,
Manish
... View more
10-09-2019
05:34 PM
1 Karma
how to extract the query stored in form of a key value pair in a lookup and execute the query in a single go in search app.
For ex- |makeresults|eval field1= "index=*|stats count "| --> how can we pass the value in filed1 which is a query and execute it within the same search.
Please help: @somesoni2 @woodcock @martin_mueller @niketnilay
... View more
- Tags:
- splunk-enterprise
