Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About Daniel_Pham
Daniel_Pham
Explorer
Member since:
05-25-2021
06-05-2021
Community Statistics
| Posts | 8 |
| Solutions | 1 |
| Karma Given | 4 |
| Karma Received | 0 |
| Member Since | 05-25-2021 |
Activity Feed
- Posted Re: Is there a way to deduplicate event in summary index on Splunk Search. 05-27-2021 12:38 AM
- Tagged Is there a way to deduplicate event in summary index on Splunk Search. 05-26-2021 10:07 PM
- Tagged Is there a way to deduplicate event in summary index on Splunk Search. 05-26-2021 10:06 PM
- Posted Is there a way to deduplicate event in summary index on Splunk Search. 05-26-2021 06:34 PM
- Karma Re: Design a search for find list intersection of kvstore and inndex and put them to summary index for richgalloway. 05-26-2021 04:27 PM
- Posted Re: Design a search for find list intersection of kvstore and inndex and put them to summary index on Splunk Search. 05-26-2021 09:02 AM
- Karma Re: Design a search for find list intersection of kvstore and inndex and put them to summary index for richgalloway. 05-26-2021 07:19 AM
- Posted Re: Design a search for find list intersection of kvstore and inndex and put them to summary index on Splunk Search. 05-26-2021 07:16 AM
- Posted Re: Design a search for find list intersection of kvstore and inndex and put them to summary index on Splunk Search. 05-26-2021 07:04 AM
- Posted Re: Design a search for find list intersection of kvstore and inndex and put them to summary index on Splunk Search. 05-26-2021 06:39 AM
- Karma Re: Design a search for find list intersection of kvstore and inndex and put them to summary index for richgalloway. 05-26-2021 06:36 AM
- Tagged Design a search for find list intersection of kvstore and inndex and put them to summary index on Splunk Search. 05-26-2021 03:49 AM
- Posted Design a search for find list intersection of kvstore and inndex and put them to summary index on Splunk Search. 05-26-2021 03:48 AM
Topics I've Started
05-27-2021
12:38 AM
Your search works, but my expected results are events from lookup not main index This is my lookup data asn,classification,confidence,country,date_first,date_last,detail,id,itype,lat,lon,maltype,org,resource_uri,severity,source,actor,tipreport,type,srcip,domain,md5,email,url And all event data contains a ip field and not the same name. The schedule must be All day, because any incoming event log from main index can be in lookup, and vice versa
... View more
05-26-2021
06:34 PM
I created a report for finding list intersection of two set A: inputlookup spam_ip (Indicator of compromise) B: index=main (event log) | inputlookup spam_ip | join srcip [ search index=main | rename ip as srcip | fields srcip ] | summaryindex spool=t uselb=t addtime=t index="threat_summary" file="RMD55f183b338b214f84_487362985.stash_new" name="matches test" marker="" and Time range : All day (because event in two sets grow daily,) after the report runs, it adds result into summary index. The problem is the result contains all event added before
... View more
- Tags:
- search
- summary index
Labels
- Labels:
-
search job inspector
05-26-2021
09:02 AM
i got it with this | inputlookup spam_ip | join srcip [ search index=main | rename ip as srcip | fields srcip ] thank you for your time
... View more
05-26-2021
07:16 AM
when i tried this | inputlookup ts_lookup_destip [index=main | rename ip as srcip | fields srcip | format] i get Unknown search command 'index'.
... View more
05-26-2021
07:04 AM
it works but when i tried this | inputlookup ts_lookup_destip (index=main | rename ip as srcip | fields srcip | format) i get an error The result i want is which indicator of compromise (include all fields) is used to detect
... View more
05-26-2021
06:39 AM
it works, thank you !!
... View more
05-26-2021
03:48 AM
I'm new to Splunk And I'm trying to build summary index i have KVStore and index A: inputlookup spam_ip (which is Indicator of compromise) B: index=main (which is event log) Both indexes have a field that has the same data: eg: A has a field (spam_ip), B has a field (source_ip) And populate all record in set A that the record have data field contain in set B into summary index
... View more
- Tags:
- kvstore
Labels
- Labels:
-
lookup
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2021
06:03 AM
|
