cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
umou7
Explorer
Member since: ‎08-19-2020
‎09-24-2020
Community Statistics
Posts 5
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎08-19-2020
Activity Feed
View All

Re: How to use search and regex command to filter ...

by in Splunk Search
‎09-24-2020 12:06 AM
‎09-24-2020 12:06 AM
@bowesmana  Thank you very much for your reply.  This is exactly the result what I want.  I accept your reply as the solution.  ^_~   ... View more

How to use search and regex command to filter even...

by in Splunk Search
‎09-23-2020 07:45 PM
‎09-23-2020 07:45 PM
The events have fields like below: description, code AAxxxxx, 200 AAxxxx,301 AAxxxx,401 BBxxxx,200 BBxxxx,303 AAxxx, 502   I want to filer(do not display) events wih below conditon:    keyword "AA" is in 'description'  with code=[345]\d{2} I tried below SPL but not working as I expected. base search | NOT (search description="*AA*" AND regex code="[345]\d{2}") Could you guys provide me some suggestions?       ... View more
Labels

Re: How to detect a newly sessionid with SPL and a...

by in Splunk Search
‎08-23-2020 05:22 PM
‎08-23-2020 05:22 PM
Thank so much @Nisha18789 , This is what I wanted and it works well as expected. I will populated the sessionids to a KV store lookup as you suggested.   Regards, Mou   ... View more

Re: How to detect a newly sessionid with SPL and a...

by in Splunk Search
‎08-20-2020 05:26 PM
‎08-20-2020 05:26 PM
Thank you very much @Nisha18789  . I am also considering of using a lookup table. But I am worry about that the lookuptable will become larger and larger so that it will give an impact on performance. Could you give me some advice on this? It would be appreciated if you could give me an example of the query with bellow approaches you mentioned. Did you mean that put step 1)  in a scheduled search, and put step 2) only in the alert logic ?         ... View more

How to detect a newly sessionid with SPL and alert...

by in Splunk Search
‎08-19-2020 10:22 PM
‎08-19-2020 10:22 PM
I want to do a security log monitoring and using splunk alert feature to send email notifications.   The security log and trigger condition is like this:   _time, SessionID,  filedA, fieldB yyyymmdd,11111, xxxx,yyyyy yyyymmdd,11111,bbbb,ccccc yyyymmdd,22222,bbbb,ccccc ........   as this is a syslog monitoring task ,  I want to trigger an alert whenever a newly SessionID is detected. It means the same SessionIDwill not be notified twice.   My SPL will be like below: ....| stats count by SessionID   Regarding to the alert configuration, which condition should I use? Or is it possible to do this mostly in the base SPL?   Regards,     ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎09-24-2020 06:44 AM