cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Janani_Krish
Path Finder
Member since: ‎07-01-2020
‎03-22-2022
Community Statistics
Posts 45
Solutions 0
Karma Given 16
Karma Received 3
Member Since ‎07-01-2020
Activity Feed
Topics I've Started
View All

Re: wildcards with inputlookups in subseraches

by SplunkTrust in Splunk Search
‎03-22-2022 02:56 AM
‎03-22-2022 02:56 AM
Hi @Janani_Krish, please see something like this (if the field to match is called "matching_field"): index=your_index sourcetype="firewall" [ | inputlookup tc | eval matching_field="*".indicator."*" | fields matching_field ] | table _time matching_field field1 field2 ... Ciao. Giuseppe ... View more

Re: Nested subsearches with lookup

by in Splunk Search
‎11-01-2021 11:38 PM
‎11-01-2021 11:38 PM
Hi @ITWhisperer  Tried using format now. But this as well is not returning any results although our inner sub search is returning results. ... View more

Re: MLTK alerts and training set

by in Splunk Search
‎08-26-2021 06:02 AM
‎08-26-2021 06:02 AM
There is partial_fit=true to get time incremental learning. and partial_fit supports few algorithms only  ... View more

Re: Lookup instead of join

by in Splunk Search
‎05-03-2021 05:37 AM
‎05-03-2021 05:37 AM
HI @gcusello  Finally they have renamed the field in config files also and now it is working. Thanks. ... View more

Re: Error using lookup command

by in Splunk Search
‎03-05-2021 12:57 AM
‎03-05-2021 12:57 AM
Hi @manjunathmeti  My case is same as described in post suggested by you,  https://community.splunk.com/t5/All-Apps-and-Add-ons/Lookup-command-doesn-t-support-dot-notation-in-... The field itself is mentioned only "tag" in definition. PFB the image,   But when I run |inputlookup tci|search indicator="*" the results are like below with tag.name field, Also I tried, sourcetype="email*"|lookup tci indicator output type,rating,tag as tag.name|where isnotnull(type)|dedup indicator|table indicator  tag.name Still getting empty field. Is there any other way where I can rename my field manually except getting into lookup definitions. ... View more

Re: Query which should show whenever there is a mo...

by SplunkTrust in Dashboards & Visualizations
‎12-29-2020 05:16 AM
1 Karma
‎12-29-2020 05:16 AM
1 Karma
First, you'll need to save the set of expected results. sourcetype="my_sourcetype" |dedup indicator |table indicator | outputlookup indicator.csv Then you can compare those results to a new search. | set diff [sourcetype="my_sourcetype"|dedup indicator|table indicator] [|inputlookup indicator.csv] ... View more

Re: Dashboard not showing any results

by SplunkTrust in Dashboards & Visualizations
‎12-09-2020 11:31 PM
1 Karma
‎12-09-2020 11:31 PM
1 Karma
Hi @Janani_Krish, as @renjith_nair said, in dashboards a search is executed in "Smart Mode" cand probably you runned your search in Verbose Mode. Then Probably the fields you used in your search aren't selected, try to select the fields you use (src_ip and dest_ip) in the search, then run your search in Smart Mode, then it should run in the dashboard. In addition, remember that there's the limit of 50,000 results in subsearches, so it isn't a good practice to put the search in subsearch and the inputlookup in main search, try to invert them! Ciao. Giuseppe ... View more

Re: Negate the field containing both the values in...

by SplunkTrust in Splunk Search
‎12-01-2020 06:02 AM
1 Karma
‎12-01-2020 06:02 AM
1 Karma
Like this, maybe? sourcetype="my_sourcetype" session_id="1011" | eval indicator=mvappend(src,dest) | mvexpand indicator | stats count values(action) as actions by indicator,session_id | where (isnull(mvfind(actions,"allowed")) AND isnull(mvfind(actions,"teared"))) ... View more

ML query to detect categorial outlier per field pe...

by in Splunk Search
‎10-29-2020 12:11 AM
‎10-29-2020 12:11 AM
Hello All, I am trying to find categorial outlier for all the emails sent from our environment with respect to its count per day. My query is as follows, sourcetype="source" earliest=-2d latest=now() SenderAddress="*@mydomain.com" RecipientAddress!="*@mydomain.com"|timechart span=3d count by SenderAddress limit=0 | anomalydetection  "example@mydomain.com"  action=annotate | eval isOutlier = if(probable_cause != "", "1", "0") | table "example@mydomain.com", probable_cause, isOutlier | sort 100000 probable_cause But since I am having unlimited email addresses I have given limit=0 in timechart but unable to detect outliers for all the email address unless I specify them like anomalydetection  "example@mydomain.com" example2@mydomain.com  . I have tried something like below, sourcetype="source" earliest=-2d latest=now() SenderAddress="*@mydomain.com" RecipientAddress!="*@mydomain.com"|timechart span=3d count by SenderAddress limit=0 | anomalydetection  "[search sourcetype="source" earliest=-30d latest=now() SenderAddress="*@mydomain.com" RecipientAddress!="*@mydomain.com"|rename SenderAddress as search|table search|format] action=annotate | eval isOutlier = if(probable_cause != "", "1", "0") | table "example@mydomain.com", probable_cause, isOutlier | sort 100000 probable_cause But the above is not working. I have also tried with stats command as below but it is detecting overall outlier for last 3 days and is not comparing with specific email address per day, sourcetype="source" earliest=-2d latest=now() SenderAddress="*@mydomain.com" RecipientAddress!="*@mydomain.com"|bin _time span=1d|stats count by SenderAddress,_time | anomalydetection "SenderAddress" "count" action=annotate | eval isOutlier = if(probable_cause != "", "1", "0") | table "SenderAddress" "count", probable_cause, isOutlier | sort 100000 probable_cause Please do suggest a way where I can detect categorial outlier for emails sent per email address per day comparing with previous days. For example in the below data, 1@mydomain.com 9th sep 20 34emails                                         10th sep 20 100emails 3@mydomain.com 9th sep 20 45 emails                                         15th sep 20 37emails   It has to detect 1@mydomain.com on 10th sep as outlier, because comparing with previous day it has sent many emails.        ... View more
Labels

Re: where in stats command

by in Splunk Search
‎10-16-2020 01:52 AM
‎10-16-2020 01:52 AM
Hi @ITWhisperer , Thanks for the reply, 1.No tags contain multiple fields or single field depending upon the log. 2.No class doesnt have any pattern. 3.No class can be anywhere in tags. Rex command works well with timechart and stats command as well. ... View more

Re: fit command in MLTK detecting categorial outli...

by SplunkTrust in Splunk Search
‎09-23-2020 03:39 AM
1 Karma
‎09-23-2020 03:39 AM
1 Karma
there are many improvements in latest version of ML Toolkit. I advise you to upgrade it to latest version. ... View more

Scheduling the training set in MLTK

by in Splunk Search
‎09-23-2020 02:38 AM
1 Karma
‎09-23-2020 02:38 AM
1 Karma
Hello, I have used OneClassSVM algorithm for anomaly detection and after applying fit command I have a training data set. Now I want to train the data set everyday. Everywhere in the blogs it is written like schedule the data set or train the data set. But I didnt find any exclusive option to train the data set.  Do I have to schedule my training set by using save as alert option or is there any other way of doing this? Kindly give your ideas. ... View more
Labels

Re: Using rex to split raw field

by SplunkTrust in All Apps and Add-ons
‎09-16-2020 01:20 AM
1 Karma
‎09-16-2020 01:20 AM
1 Karma
simple, value will be extracted to new field called "file_path"   | rex "file_path\":(?<file_path>[^\,]+)"   ... View more

Re: Looping in SPLUNK Query

by SplunkTrust in Splunk Enterprise
‎09-07-2020 10:48 PM
1 Karma
‎09-07-2020 10:48 PM
1 Karma
there could be many events in a single sourcetype that matches one particular IP, this will create search performance issue and it may take hours/days if you are searching in GBs of data.  sourcetype!="IPs" [ search sourcetype="IPs" | stats count by IP | table IP | rename IP as search | format] | table sourcetype,_raw The reason for not using IP field in sub search is because your other source types may not have have field IP as I can see you provided only table sourcetype, _raw. The above search will do basic search with just IPs rather than IP and IP_value. we can't group the sourcetype and _raw by IP because IP field could be different in different sourcetypes, if you think IP field is present in all source types, you can add below to the search. | stats values(sourcetype) as sourcetype values(_raw) as _raw by IP   give a thumps up if my answer gives a clue. ... View more

Re: command="predict", Too few data points: 0. Nee...

by in Splunk Search
‎07-19-2020 10:45 PM
‎07-19-2020 10:45 PM
Hello Sautamo, Thanks. My recipient field contains names of recipients. Later I realized I was trying to predict the name of recipients, But according to the algorithm I can predict only the numerical value like count. It worked for me when I have set the predicted value to be count.   ... View more

Auto Learning or Feeding further inputs to ML mode...

by in Splunk Enterprise
‎07-01-2020 01:07 AM
‎07-01-2020 01:07 AM
Hello, I have created a Machine learning job to Detect categorical outliers and saved as an alert. I have scheduled alert for everyday and I am receiving results. I am getting some results which are legitimate or False Positive too. So Is there any way where I can give these results to the Machine learning job I have created for learning . I have tested and it seems it is not auto learning.  Kindly suggest something if you have any ideas. ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎03-22-2022 05:33 AM
Karma from
View All