×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- About SabariRajanT
SabariRajanT
Path Finder
Member since:
07-27-2020
04-11-2023
Community Statistics
| Posts | 39 |
| Solutions | 0 |
| Karma Given | 12 |
| Karma Received | 0 |
| Member Since | 07-27-2020 |
Activity Feed
- Posted How to get Oracle DBSample sourcetype? on Splunk Enterprise. 04-10-2023 09:32 AM
- Posted Re: tstats SPL query need help on Splunk Search. 04-10-2023 07:44 AM
- Posted Help with tstats SPL query on Splunk Search. 04-09-2023 09:06 AM
- Tagged Help with tstats SPL query on Splunk Search. 04-09-2023 09:06 AM
- Posted Re: Regex on Splunk Search. 11-25-2022 02:19 AM
- Karma Re: Regex for isoutamo. 11-25-2022 01:43 AM
- Posted What regex to use to remove \\ form the hostname fields? on Splunk Search. 11-25-2022 12:59 AM
- Tagged What regex to use to remove \\ form the hostname fields? on Splunk Search. 11-25-2022 12:59 AM
- Posted How to write Regex for extracted these fields? on Splunk Cloud Platform. 05-17-2022 06:39 AM
- Tagged How to write Regex for extracted these fields? on Splunk Cloud Platform. 05-17-2022 06:39 AM
- Posted Dashboard Related doubts on Dashboards & Visualizations. 04-27-2022 03:08 AM
- Posted Re: Action Needed for Forwarder Certificate Expiry on Splunk Cloud Platform. 04-25-2022 02:55 AM
- Tagged Re: Action Needed for Forwarder Certificate Expiry on Splunk Cloud Platform. 04-25-2022 02:55 AM
- Tagged Re: Action Needed for Forwarder Certificate Expiry on Splunk Cloud Platform. 04-25-2022 02:55 AM
- Posted Action Needed for Forwarder Certificate Expiry on Splunk Cloud Platform. 04-24-2022 01:19 AM
- Tagged Action Needed for Forwarder Certificate Expiry on Splunk Cloud Platform. 04-24-2022 01:19 AM
- Karma Re: Need Regex to pull all the pid,PPID and MD5 values for venkatasri. 09-08-2021 06:14 AM
- Posted Need Regex to pull all the pid,PPID and MD5 values on Splunk Search. 09-07-2021 01:53 AM
- Posted Re: Need Regex help on Splunk Search. 08-27-2021 10:08 AM
- Posted Re: Need Regex help on Splunk Search. 08-27-2021 09:53 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
04-10-2023
09:32 AM
Hi Team,
Can I get the sourcetype in splunk for below
DB authentication, authorization, accounting (AAA) logs.
... View more
Labels
- Labels:
-
splunk-assist
04-10-2023
07:44 AM
hi @tscroggins : we don't see all the data being pulled from list123.csv. There is a disperancy in data match from the search index and match with lookup file. Please help with other alternative query. Thanks, Sabari
... View more
04-09-2023
09:06 AM
Hi Team,
In below query I am trying to pull all the host from various index and match those host in a list lookup file(list123) and keep that in a table and retuns values with host fields and their respective field value available in the column "vore_or_yroe" in the list123 file.
I used below query, I can pull only host values in a table but not vore_or_yroe. (vore_or_yroe) it's not returning exact values from the list123 lookup file
| tstats latest(_time) as latest where (index=*_nmap OR index=*_net OR index=*_ds OR index=*_other OR index=*_cld) earliest=-1h by host | search [| inputlookup list123.csv | search vore_or_yroe="*" | search vrit_cpco="try" | rename trit_host AS host | table host vore_or_yroe ] | lookup list123.csv trit_host AS host OUTPUT crit_opco | eval OPCO=upper(vrit_cpco) | table host vore_or_yroe | sort host | outputlookup rtun1_clone.csv
... View more
- Tags:
- tstats
Labels
- Labels:
-
tstats
11-25-2022
12:59 AM
Hi All,
I have a hostname stating \\sent134
I need to remove this \\ using regex and it should be like this: sent134
Actual:
\\sent134
Expected should be:
sent134
===
Please provide regex to remove \\ form the hostname fields.
Thanks
... View more
- Tags:
- regex
Labels
- Labels:
-
regex
05-17-2022
06:39 AM
I need to extract the below field, Required a Regex for the same
1)trc values I need to get regex for "Asva.nsearoon@peypafe.com"
2) tsd values I need to get regex for "flipkart.com"
3)SIP values I need to get regex for "198.161.151.190"
Below the sample logs.
{"etype":"User","eid":"prvs=343333211os.com","ut":"Regular","tsd":"\"flipkart.com\" <Flipkart@youraccount-alerts.com>","sip":"198.161.151.190","srt":"1","trc":"Asva.nsearoon@peypafe.com","
Thanks,
... View more
- Tags:
- regex
Labels
- Labels:
-
development
04-27-2022
03:08 AM
Hi Team, I have a dashboard like below: what happens in my dashboard I have only 2 columns with 6 panels. All those 2 column name are "index" "Current status" like 6 panels I have it. Both 2 columns data is returning are as different but column name are same. Since 2 column name "index" "current status" are returning 6times in 6 different panels in single dashboard. I need to know, how do I make "index" and "Current status" column to be return only 1 time. Please suggest, Below the dashboard sample results:
... View more
Labels
- Labels:
-
development
04-25-2022
02:55 AM
Hi @isoutamo Thanks for your response, I have the updated certificates in handy, Im planning to proceed below way, Kindly assist 1)Installing the forwarder credentials on many forwarders using a deployment server From Splunk Cloud Platform instance, go to Apps > Universal Forwarder. Click Download Universal Forwarder Credentials. Note the location where the credentials file was downloaded. The credentials file is named splunkclouduf.spl. Copy the file to your /tmp folder. (optional) Use file management tools to move the splunkclouduf.spl file to the $SPLUNK_HOME/etc/deployment-apps/ directory on the deployment server. In a shell or command prompt, unpack the credentials package by running the following command: tar xvf splunkclouduf.spl Navigate to the /bin subdirectory of the deployment server. Install the credentials package by running the following command: splunk install app <full path to splunkclouduf.spl> -auth <username>:<password> where <full path to splunkclouduf.spl> is the path to the directory where the splunkclouduf.spl file is located and <username>:<password> are the username and password of an existing admin account on the universal forwarder. Restart the deployment server by running the following command: /splunk restart
... View more
- Tags:
- Splunk admin
- uf
04-24-2022
01:19 AM
Hi Team, My universal forwarder certificate package, will be expiring soon in my splunk cloud environment. As a result, splunk vendor updated forwarder package on stack with updated certificates to be deployed across any forwarders that connect directly to my Splunk instance. My Action: I should download and install the updated Universal Forwarder certificate package on all forwarders prior to the upcoming maintenance window. Can someone elaborate the pre-conditions and further steps to be taken care before my maintenance window. FYI - I have the splunkclouduf.spl package Thanks, Sabari
... View more
- Tags:
- uf
08-27-2021
10:08 AM
Can I have your email Id please @gcusello to send the full logs. Since the file size is huge.
... View more
08-27-2021
09:53 AM
@gcusello The rex which is provided earlier, doesn't working. Thanks
... View more
- Tags:
- rex
08-27-2021
09:31 AM
@gcusello Thanks for your quick response. The rex which you provided it doesn't work for other data which has MD5. one thing I notice in logs before md5 that starts with "","" and end with "","". Using that can you provide rex. "",""md5"":""b147fbdbd44374f73a763531c8d1093d"",""sha1"":null,""
... View more
- Tags:
- regex
08-27-2021
09:05 AM
Hi All, I will be getting a list of MD5 hash values in my logs. Need a regex expression for the below. Therefore whenever am getting md5 hash values. "md5":"b78269ef4034474766cb1351e94edf5c",
... View more
Labels
- Labels:
-
regex
08-27-2021
12:34 AM
How do we retrieve those parsed data, Please suggest.
... View more
- Tags:
- ho
08-26-2021
10:21 AM
Hi Team, Is there any way to decode the logs which is already onboarded into splunk. Do we have any app to decode.? Please suggest @ITWhisperer
... View more
08-03-2021
01:34 AM
Hi Team, I will be getting below text randomly in logs, I need a regex for the 1st IP's separately & 2nd IP's separately . can someone please help to get it. The user Risen Paur (risen.paur@mail.eeir) performed an impossible travel activity. The user was active from 117.202.23.200 in India and 173.205.24.222 in United States within 802 minutes. @gcusello - Looking forward your help.
... View more
- Tags:
- regex
Labels
- Labels:
-
regex
07-01-2021
08:42 AM
Hi All, I have a unique values like below in my splunk dashboard, Email account: Anaoymzer sab@gmail.com No tr@gmail.com Yes rt@mail.com No sab@gmail.com Yes sab@gmail.com Yes sab@gmail.com Yes All the above email account display with mail address list with IP address and ananoymzer as yes and No. we need to pull unique email account column as displayed above and Ananoymzer = yes in past 24 hours. Required SPL Query for this.
... View more
Labels
- Labels:
-
subsearch
06-29-2021
07:13 AM
index=ert "192.34.23.122" earliest=-30d | stats dc(user) as "Distinct users" | where 'Distinct users' < 20 In some condition ip address is not specifically determined, like below index=ert "IPaddress" like this - how do we return the results now?
... View more
- Tags:
- spl query
06-29-2021
01:04 AM
Hi Team, I have a dashboard where existing results showing Event date, Event title, email id, Logon IP, Logon Location, AD Location. The condition here is I need to remove the Logon IP used by more than 20+users from my current dashboard and display only Logon IP used by less than 20+ users EG: index=ert "192.34.23.122" earliest=-30d | stats dc(user) as "Distinct users" Using above query if the logon ip 192.34.23.122 used by more than 20+ users then my dashboard doesn't show up. EG: index=ert "192.34.23.122" earliest=-30d | stats dc(user) as "Distinct users" Using above query if the logon ip 192.34.23.122 used by less than 20+ users then my dashboard should show up. Please suggest suitable SPL query for this.
... View more
- Tags:
- spl query
Labels
- Labels:
-
table
04-29-2021
04:24 AM
Hi @gcusello Let me explain you the scenario in details: when I query below, I get the UPN details with "T" as below. index=xxx | eval UPN=mvindex('userStates{}.userPrincipalName',0) |search UPN = "*T@mail.eeir" |table UPN xxx.mmm@mail.eeir yyy.Mmmm@mail.eeir zzz.rrrr@mail.eeir cccc.eeeeT@mail.eeir If you see above data xxx , yyy, cccT UPN data's coming up. But I need to ignore "T" here and show the rest all UPN data like as below xxx.mmm@mail.eeir yyy.Mmmm@mail.eeir zzz.rrrr@mail.eeir cccc.eeee@mail.eeir For the same am trying to use below query with regex command. But no luck regex is not working. index=graphsecurityalert | eval UPN=mvindex('userStates{}.userPrincipalName',0) |rex!=UPN = "*T@mail.eeir" |table UPN if you provide the following rex will be great - |rex!=UPN = "*T@mail.eeir"
... View more
04-29-2021
02:46 AM
hi @gcusello Yes did that.! But no luck. There are n no of id's with "T" "t". The regex part will help it out as i believe.
... View more
04-29-2021
02:33 AM
@gcusello Thanks for your response.! It doesn't work out well When i use a Not operator like below. The "t" "T" should ignore search NOT (UPN=*t@cloud.eeir)
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
04-11-2023
09:46 AM
|
Karma given to
