cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
ToniHuynh
Explorer
Member since: ‎07-02-2020
‎09-02-2020
Community Statistics
Posts 8
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎07-02-2020
Activity Feed
View All

Re: search does not match token which contains fil...

by in Splunk Search
‎09-01-2020 05:03 PM
‎09-01-2020 05:03 PM
Thanks @richgalloway but like function still does not work for me. | where like(Object_Name,ObjectName) ... View more

Search returns no result when including a ()

by in Splunk Search
‎09-01-2020 04:58 PM
‎09-01-2020 04:58 PM
Hi everyone, I have trouble to decode the token which contains some special character such as (). Below is my search and it does not return any result because the ObjectName contains the () in it:     index=wineventlog EventCode=4660 OR EventCode=4663 Account_Name!="ANONYMOUS LOGON" host="myServer" Account_Name!="*$" | eval ObjectName=urldecode("D:\Company Data\Employee\contract\Michael (Tim)\Induction\Example (D) - .msg") | eval ObjectName=replace(ObjectName,"\\\\","\\\\\\") | where match(Object_Name,ObjectName) | dedup _time host Account_Name Account_Domain Object_Name Accesses EventCodeDescription | timechart span=60m count(Object_Name) as Changes by Account_Name     If the ObjectName does not contain () then it will work well. Could anyone help me decode it? Thanks, Toni   ... View more
Labels

Search with special characters

by in Dashboards & Visualizations
‎09-01-2020 04:56 PM
‎09-01-2020 04:56 PM
Hi everyone, I have trouble to decode the token which contains some special character such as (). Below is my search and it does not return any result because the ObjectName contains the () in it:   index=wineventlog EventCode=4660 OR EventCode=4663 Account_Name!="ANONYMOUS LOGON" host="myServer" Account_Name!="*$" | eval ObjectName=urldecode("D:\Company Data\Employee\contract\Michael (Tim)\Induction\Example (D) - .msg") | eval ObjectName=replace(ObjectName,"\\\\","\\\\\\") | where match(Object_Name,ObjectName) | dedup _time host Account_Name Account_Domain Object_Name Accesses EventCodeDescription | timechart span=60m count(Object_Name) as Changes by Account_Name   If the ObjectName does not contain () then it will work well. Could anyone help me decode it? Thanks, Toni   ... View more
Labels

search does not match token which contains file pa...

by in Splunk Search
‎08-17-2020 10:39 PM
‎08-17-2020 10:39 PM
Hi Everyone, I passed a token which contain a file path with some special character into a search but it does not show any result:   index=wineventlog EventCode=4660 OR EventCode=4663 Account_Name!="ANONYMOUS LOGON" host="MELFP" Account_Name!="*$" | eval ObjectName=urldecode("D:\Company Data\HR\Payroll\HR$ (MELFP02) (P) - Shortcut.lnk") | eval ObjectName=replace(ObjectName,"\\\\","\\\\\\") | where match(Object_Name,ObjectName) | table _time host Account_Name Account_Domain Object_Name Accesses EventCodeDescription | sort _time desc     However, If I compare directly as below then it would show result.   |search Object_Name="D:\\Company Data\\HR\Payroll\\HR$ (MELFP02) (P) - Shortcut.lnk"     Not sure why because if I shows the ObjectName, it is decoded correctly as below "D:\\Company Data\\HR\Payroll\\HR$ (MELFP02) (P) - Shortcut.lnk"   ... View more
Labels

Re: Search run to nothing when I passed a variable...

by in Dashboards & Visualizations
‎07-26-2020 11:40 PM
‎07-26-2020 11:40 PM
Thanks for your response but both of your suggestions do not work. Actually, I would like to decode the FilePath with sent from the main dashboard to the drilldown dashboard. The urldecode shows correct path and I put       | eval FileName=replace(ObjectName,"\\\\","\\\\\\")   to change it to "C:\\Finance\\Salary" but don't know why there is no matched to that. However, if I put direct |search Object_Name="C:\\Finance\\Salary" then it shows matched results. ... View more

Search run to nothing when I passed a variable con...

by in Dashboards & Visualizations
‎07-26-2020 08:16 PM
‎07-26-2020 08:16 PM
Hi everyone, I am trying to search for a file path (e.g. C:\Finance\Salary) but the result return none. It works if I type directly C:\\Finance\\Salary but it does not work if I passed it to a variable. Although the variable shows correct value.     index=wineventlog EventCode=4660 OR EventCode=4663 Account_Name!="ANONYMOUS LOGON" host="PTL*" Account_Name!="*$" | eval FilePath=urldecode("C%3A%5CFinance%5CSalary") | eval FilePath=replace(ObjectName,"\\\\","\\\\\\") | search Object_Name=FilePath | dedup _time host Account_Name Account_Domain Object_Name Accesses EventCodeDescription | table _time host Account_Name Account_Domain Object_Name FilePath Accesses EventCodeDescription | sort _time desc     The below search will show result if I replace:      |eval Object_Name="C:\\Finance\\Salary"         ... View more
Labels

Re: Extract field from a new line

by in Splunk Search
‎07-02-2020 11:10 PM
‎07-02-2020 11:10 PM
Thanks so much.    ... View more

Extract field from a new line

by in Splunk Search
‎07-02-2020 07:54 PM
‎07-02-2020 07:54 PM
Hi all, I would like to extract the IP of the client: from the below Message. Message=Internal event: A client issued a search operation with the following options. Client: 172.25.1.250:6247 Starting node: DC=abc,DC=contoso,DC=com,DC=au Filter: ( & ( ! (uSNChanged=*) ) ( & ( | (mail=*) (proxyAddresses=*) ) ( | (objectClass=contact) (objectClass=publicFolder) (objectClass=group) (objectClass=person) (objectClass=organizationalPerson) (objectClass=user) (FALSE) ) ) ) Search scope: subtree Attribute selection: sAMAccountName,mail,proxyAddresses,objectClass,uSNChanged I can make it works on regex101 but splunk does not show anything. | rex field=Message max_match=0 "Client:(?<Client>\n.*)"       ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎09-02-2020 12:08 AM