Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About epw0rrell
epw0rrell
Path Finder
Member since:
09-24-2020
03-30-2025
Community Statistics
| Posts | 13 |
| Solutions | 0 |
| Karma Given | 7 |
| Karma Received | 0 |
| Member Since | 09-24-2020 |
Activity Feed
- Karma Re: Table results that do not match a value within a lookup file for livehybrid. 03-28-2025 06:47 AM
- Posted Table results that do not match a value within a lookup file on Splunk Dev. 03-28-2025 06:10 AM
- Posted Join matching field of a Sub-Search on Splunk Search. 09-14-2021 01:13 PM
- Posted Re: Only Listing Transactions with Multiple Events on Splunk Search. 03-19-2021 08:15 AM
- Karma Re: Only Listing Transactions with Multiple Events for bowesmana. 03-19-2021 08:14 AM
- Karma Re: Only Listing Transactions with Multiple Events for bowesmana. 03-18-2021 02:04 PM
- Posted Re: Only Listing Transactions with Multiple Events on Splunk Search. 03-18-2021 02:03 PM
- Posted Only Listing Transactions with Multiple Events on Splunk Search. 03-18-2021 01:27 PM
- Posted Re: How to table results only if field value within indexA is contained within field of indexB on Splunk Search. 01-21-2021 12:35 PM
- Karma Re: How to table results only if field value within indexA is contained within field of indexB for to4kawa. 01-21-2021 12:26 PM
- Posted How to table results only if field value within indexA is contained within field of indexB on Splunk Search. 01-15-2021 12:15 PM
- Posted Re: How to output from lookup table if a field value is included anywhere within table field on Splunk Search. 12-10-2020 11:21 AM
- Posted Re: How to output from lookup table if a field value is included anywhere within table field on Splunk Search. 12-10-2020 10:58 AM
- Posted How to output from lookup table if a field value is included anywhere within table field on Splunk Search. 12-10-2020 10:02 AM
- Posted Re: Assigning a field value to "Earliest" "Latest" time modifiers on Splunk Search. 09-25-2020 11:51 AM
- Karma Re: Assigning a field value to "Earliest" "Latest" time modifiers for ITWhisperer. 09-25-2020 11:49 AM
- Posted Re: Assigning a field value to "Earliest" "Latest" time modifiers on Splunk Search. 09-25-2020 08:23 AM
- Karma Re: Assigning a field value to "Earliest" "Latest" time modifiers for ITWhisperer. 09-25-2020 08:22 AM
- Posted Assigning a field value to "Earliest" "Latest" time modifiers on Splunk Search. 09-24-2020 08:36 AM
- Tagged Assigning a field value to "Earliest" "Latest" time modifiers on Splunk Search. 09-24-2020 08:36 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
03-28-2025
06:10 AM
Hello, I have a lookup table with fields user and src. I want to table results [user src] where the src within my search != the src listed within the lookup table. So first I need to search for matching user rows, then I need to compare the src of the search with the src value in the lookup file. If the src is different, I want to table the new src value from the search. Can someone help me with this? Thanks so very much.
... View more
09-14-2021
01:13 PM
Hello, I currently have a search over index_A that runs a sub-search from index_B looking to match a field (field_B) from index_B to any log within index_A. The search works great but the only frustration is not knowing what field value that field_B held as all of the tabled results come from index_A. Is there a way I can join that matched field_B to the results at the end of the search? Here is my current search and thanks for anyone that has the time to help me with this! index=index_A [search index=index_B | fields field_B | rename field_B as query]
| table field_A field_A1 field_A2 field_A3
... View more
03-19-2021
08:15 AM
Work perfect thanks!!
... View more
03-18-2021
02:03 PM
Thanks, that is definitely the answer to that question but now looking at the results, I see that I need to be more specific and only display transactions where a certain field has more than one "event" value if that makes sense? Thanks for your help and is there a way I can do this?
... View more
03-18-2021
01:27 PM
I am interested in only listing transactions of a given source entity that contain multiple events. Is there a quick and easy way to do this? index=main | transaction src_entity startswith=at least one thing endswith=another thing | table src dst etc.
... View more
Labels
- Labels:
-
transaction
01-21-2021
12:35 PM
Thanks that worked great. If I could ask a follow on to this, would there be a way to include the query string that hit on the sessions displayed? I output the results to a lookup file thinking I could append the "query" column to the results (query shown below) but that just added all the domains used in the query to the lookup file. | inputlookup emailHITS.csv | appendcols [search index=security | fields domain | rename domain as query] | table _time query subject url fromEmail fromIP fromMX
... View more
01-15-2021
12:15 PM
I have email logs within index=Email and suspicious domain connections within index=Security. The field name within Security = domain (values look like "website.com") The field of interest in Email = URL (values look like https://www.corp.website.com/page1/page2/etc:443) I need to search index=Email and do a sub-search within index=Security and only return results if domain is contained within URL. I tried things like: index=Email [search index=Security | where like(URL, "%"."domain"."%")] Anyone that can help me you will make my week! Thanks for your time.
... View more
Labels
- Labels:
-
eval
-
fields
-
join
-
subsearch
-
transaction
12-10-2020
11:21 AM
Unfortunately there is only a URL field within the logs. Unless I can use a clever field extraction on the URL, I would need to go about it from this direction.
... View more
12-10-2020
10:58 AM
I have one index of alerts containing a field named "alertDomain" with values like "domain.com." I have a lookup table with urls sent within emails with values like http://www.domain.com/otherplaces I would like to run a search like this: index=alerts | lookup emailURLs.csv emailURL as alertDomain OUTPUT emailURL as phishingURL | table phishingURL but I know this won't work because the fields will not match. I need to OUTPUT the emailURL if it simply contains the value within alertDomain. Is this a bit better?
... View more
12-10-2020
10:02 AM
I know how to use eval and if statements to pull fields that contain a %.value.% but how can I use this when running a search | lookup and output fields that contain a value of a field within the search? Let me know if you need an example search or more context. Thanks to anyone that can help me with this.
... View more
09-25-2020
11:51 AM
ITWhisperer, You are the best! It now works perfectly and I wish I could show you. Thank you so very much!!
... View more
09-25-2020
08:23 AM
Thanks for your quick feedback. I placed the code within the first dashboard and it seems to not break anything. However, I am getting an error "waiting for input within dashboard 2. Where exactly would the "tok_start" and "tok_end" go within the dashboard. I tried applying them to: <earliest>$tok_start.earliest$</earliest> <latest>$tok_end.latest$</latest> I also tried applying them to the fieldset portion of the Dashboard but it did not work then either.
... View more
09-24-2020
08:36 AM
Hello, I am interested in making the results of one index search (in particular the values of fields early and late) used in a different index search as values assigned to earliest latest. index="a" <find a specific event> | eval timeTOsecs=strftime(_time, "%s") | eval early_time= timeTOsecs-300 | eval late_time= timeTOsecs+300 | eval early=strftime(early_time, "%m/%d/%Y:%H:%M:%S") | eval late=strftime(late_time, "%m/%d/%Y:%H:%M:%S") My next search would search for all events using the early and late values of the previous search and assign them to earliest latest. index="b" earliest=early latest=late Everything I have tried up to this point seems to point to "earliest" and "latest" modifiers will not allow you to assign a field value to them. Essentially I want to perform the function that Splunk automates through its UI when it lets the user run a search on events before and after a given time. Thanks for anyone that can help me and let me know if I can be clearer in explaining because sometimes it is hard to understand other people's context.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
03-30-2025
03:43 PM
|
