Hi, I am facing issues to find delta. I have: Lookup Table: testpolicies.csv Field names in Lookup: policyname index=test sourcetype =test_sourcetype policy=* Field names :  policy Now, need to compare Lookup table with  sourcetype using policy field and find all the records/rows which are not exist in Lookup table but in sourcetype. This comparison is based on policy field Any recommendations will be highly appreciated. Thank you so much. ... View more

Hi, I have list of domains in a lookup and I need to exclude it from my query   | tstats summariesonly=true allow_old_summaries=false dc("DNS.query") as count from datamodel=Network_Resolution where nodename=DNS "DNS.message_type"="QUERY" by "DNS.src","DNS.query" index sourcetype | rename "DNS.src" as src "DNS.query" as message index as orig_index sourcetype as orig_sourcetype | eval length=len(message) | stats sum(length) as length by src message orig_index orig_sourcetype | append [ tstats summariesonly=true allow_old_summaries=false dc("DNS.answer") as count from datamodel=Network_Resolution where nodename=DNS "DNS.message_type"="QUERY" by "DNS.src","DNS.answer" index sourcetype | rename "DNS.src" as src "DNS.answer" as message index as orig_index sourcetype as orig_sourcetype | eval message=if(message=="unknown","", message) | eval length=len(message) | stats sum(length) as length by src message orig_index orig_sourcetype] | dedup src | stats sum(length) as length by message src orig_index orig_sourcetype   Now I have to exclude the domains lookup from both my tstats.. I tried this but not seeing any results.. First part works fine but not the second one..    | tstats summariesonly=true allow_old_summaries=false dc("DNS.query") as count from datamodel=Network_Resolution where nodename=DNS "DNS.message_type"="QUERY" NOT [| inputlookup domainslist | fields domains | rename domains as DNS.query | format] by "DNS.src","DNS.query" index sourcetype | rename "DNS.src" as src "DNS.query" as message index as orig_index sourcetype as orig_sourcetype | eval length=len(message) | stats sum(length) as length by src message orig_index orig_sourcetype | append [ tstats summariesonly=true allow_old_summaries=false dc("DNS.answer") as count from datamodel=Network_Resolution where nodename=DNS "DNS.message_type"="QUERY" NOT [| inputlookup domainslist | fields domains | rename domains as DNS.answer | format] by "DNS.src","DNS.answer" index sourcetype | rename "DNS.src" as src "DNS.answer" as message index as orig_index sourcetype as orig_sourcetype | eval message=if(message=="unknown","", message) | eval length=len(message) | stats sum(length) as length by src message orig_index orig_sourcetype] | dedup src | stats sum(length) as length by message src orig_index orig_sourcetype   Any suggestions would be appreciated.. thanks! ... View more

Hi, I have two searches,.. First search which will run once per day lookback -24h@h , latest=now cron: 5 4 * * * and writes the results to summary index.  my base search ... ... | collect index=summary source="base generator" Second search will also run once per day lookback -24h@h and latest=now cron: 5 6 * * * my base search |join type=left field1 field 2 [ search index=summary source="*base generator*"..... ] Now I have the results as expected something line this Field1                 field2                     _time UserA                 list of names       30/5/2023 9:30 UserA                 list of names       30/5/2023 9:40 (both field1 and field2 are same as in first row but different time values) In this case, I need a consolidated event count ... Say for above scenario, my count of events should be 2 based on the field1 and field2 irrespective of the _time field.. I tried, but no luck.. any help would be much appreciated.. thanks in advance! ... View more

Hi, My datasets are much larger but these represent the crux of my hurdle...     Sourcetype= transaction fields= transaction_id, user, sourcetype= connection fields=x_transaction_id, user, action     Now I need to build a SPL which detects huge data sent to ext.domains in single event, for which I have all the required details in transaction sourcetype itself, but the allowed or block action is not there, those are specified under connection sourcetype.. Just need to merge the action details to the transaction sourcetype Tried with join, results are inappropriate.  Can this be done more efficiently with stats? ... View more

I have a list of hosts in the lookup table. These values aren't static and gets updated dynamically every three months. Is it possible to update the lookup dynamically in the below mentioned two ways, without updating the values manually. 1. Old values needs to be replaced by new values 2. New values should be appended to the old values in the table Thanks! ... View more

I need to exclude the field values if it is less than or equal to 8 characters. For eg: In the field abc, I have the below values in which I need to exclude only (browsers, files, members) 'coz these has equal to or less than 8 characters. And I need to have the other values abc: browsers files attachment members auto-saved splunk-answers discussions Can someone help me on this, please? ... View more

Hi, I need to extract host values from one index (index=1) and see if there are similar matches that exists in other indexes (index=2 and index=3). Below are the details: Index=1 hosta=* hostb=* hostc=* index=2 hostx=* index=3 hostx=* Can someone please help me with an SPL to find this? ... View more

I have 3 indexes containing events with IP addresses, index1, index2, and index3. My goal is to return a list of all IP addresses that are present in index1 and see if those had matches with  IP's in index 2 and index 3 3 different indexes with 3 different IP field names: index1 , src_ip index2, ipaddr index3, ip Any help would be appreciated, thank you. ... View more

I want to limit the search that matches the "dest" values which are a part of lookup Currently I am getting all events 😐 Lookup: host.csv  lookup columns: aa bb I tried something like below:    |tstats summariesonly=f count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (condition)[|inputlookup host.csv |fields + aa |rename aa as Processes.dest] by Processes.dest     Any help would be appreciated! Thanks ... View more

Hello, Can someone please help me with a query to find who deleted the files of users (user=x, y, z) from a folder.  index=* sourcetype=* folder_name=*abc*  Thankyou ... View more