Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About jmcaloon
jmcaloon
Explorer
Member since:
02-23-2017
06-05-2020
Community Statistics
| Posts | 7 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 1 |
| Member Since | 02-23-2017 |
Activity Feed
- Got Karma for Re: How to find out the first occurrence of an event with a search?. 06-05-2020 12:48 AM
- Posted How to edit my search to find the last seen date of our computers? on Splunk Search. 03-16-2017 12:16 PM
- Tagged How to edit my search to find the last seen date of our computers? on Splunk Search. 03-16-2017 12:16 PM
- Tagged How to edit my search to find the last seen date of our computers? on Splunk Search. 03-16-2017 12:16 PM
- Tagged How to edit my search to find the last seen date of our computers? on Splunk Search. 03-16-2017 12:16 PM
- Tagged How to edit my search to find the last seen date of our computers? on Splunk Search. 03-16-2017 12:16 PM
- Posted Re: How to find out the first occurrence of an event with a search? on Splunk Search. 02-24-2017 07:45 AM
- Posted How to find out the first occurrence of an event with a search? on Splunk Search. 02-23-2017 02:22 PM
- Tagged How to find out the first occurrence of an event with a search? on Splunk Search. 02-23-2017 02:22 PM
- Tagged How to find out the first occurrence of an event with a search? on Splunk Search. 02-23-2017 02:22 PM
- Tagged How to find out the first occurrence of an event with a search? on Splunk Search. 02-23-2017 02:22 PM
- Posted Re: How to edit my search to remove "T" and "Z" characters from showing up in my timestamp results? on Splunk Search. 02-23-2017 09:22 AM
- Posted Re: How to edit my search to remove "T" and "Z" characters from showing up in my timestamp results? on Splunk Search. 02-23-2017 09:11 AM
- Posted Re: How to edit my search to remove "T" and "Z" characters from showing up in my timestamp results? on Splunk Search. 02-23-2017 09:06 AM
- Posted How to edit my search to remove "T" and "Z" characters from showing up in my timestamp results? on Splunk Search. 02-23-2017 08:32 AM
- Tagged How to edit my search to remove "T" and "Z" characters from showing up in my timestamp results? on Splunk Search. 02-23-2017 08:32 AM
- Tagged How to edit my search to remove "T" and "Z" characters from showing up in my timestamp results? on Splunk Search. 02-23-2017 08:32 AM
- Tagged How to edit my search to remove "T" and "Z" characters from showing up in my timestamp results? on Splunk Search. 02-23-2017 08:32 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 |
03-16-2017
12:16 PM
What I am trying to do is currently search for Computers that were last seen 10 days or more ago. Currently right now I have the following search syntax:
ComputerName=* AgentVersion=* | dedup ComputerName| table timestamp ComputerName, AgentVersion.
Do I need an eval and then last seen time? If so how would I do that?
Thank you,
Jack McAloon
... View more
02-24-2017
07:45 AM
1 Karma
These suggestions got me to exactly what I needed. Thank you !
... View more
02-23-2017
02:22 PM
Currently I am trying to figure out a way to pull the first time an event occurred. Specifically when one of our programs check in for the first time with the latest update.
Currently I can pull the most recent event, but it would be better for troubleshooting to pull the first event if an issue occurred due to a new version.
Here is the current code I have:
ComputerName= * event_platform=Win| spath event_simpleName | search event_simpleName=SensorHeartbeat| spath ConfigBuild | search ConfigBuild!="(Whatever Verison its on)"|dedup ComputerName
What I would like it to do is to pull the first time the computer checked in with a version of config build. I tried using the stats command, but had no luck. Any suggestions?
Thank you,
Jack
... View more
02-23-2017
09:22 AM
That worked perfectly.Thank you
... View more
02-23-2017
09:11 AM
Tried the updated results and still of no luck. Is there such a command just to parse out from the specifc variable that is being called? So for an example replace Date "T" "z" etc. I am new to splunk so still tyring to figure everything out
... View more
02-23-2017
09:06 AM
When trying that command at the end with the eval, it was still the same results.
... View more
02-23-2017
08:32 AM
When using a search and calling out timestamp I am getting weird results on how the Timestamp is being formatted. Here is my current search I am using:
ComputerName=* UserName=* CommandLine=* ImageFileName=* FileName=* RawProcessId_decimal=* TargetProcessId_decimal=*|spath CommandLine|fieldformat Timestamp=strftime(Timestamp, "%y/%d/%m/ %H:%M:%S") |table timestamp ComputerName, UserName, FileName, RawProcessId_decimal, TargetProcessId_decimal, CommandLine,| rename timestamp AS "Date", ComputerName AS "Host", UserName AS "User", CommandLine AS "Command Line", FileName AS "File Name", RawProcessId_decimal AS "PID", TargetProcessId_decimal AS "Process ID"
The formatting I am using is returning this as the date column for this issue:
2017-02-23T16:22:09.956Z
Is there a way I can remove that T and Z and just add a space because this seems to be happening to every search I try that includes the date?
Thank you,
Jack
... View more
