Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About Fe-atSplunk
Fe-atSplunk
Explorer
Member since:
08-26-2021
03-20-2022
Community Statistics
| Posts | 11 |
| Solutions | 0 |
| Karma Given | 3 |
| Karma Received | 0 |
| Member Since | 08-26-2021 |
Activity Feed
- Posted Re: Field value changes for two environments on Splunk Search. 03-14-2022 02:48 AM
- Posted Re: Event is 2 years delayed on Splunk Search. 03-09-2022 09:05 AM
- Karma Re: Event is 2 years delayed for somesoni2. 03-09-2022 09:05 AM
- Tagged Re: Event is 2 years delayed on Splunk Search. 03-09-2022 09:05 AM
- Tagged Re: Event is 2 years delayed on Splunk Search. 03-09-2022 09:05 AM
- Karma Re: Field value changes for two environments for somesoni2. 03-09-2022 08:40 AM
- Posted Re: Event is 2 years delayed on Splunk Search. 03-09-2022 08:27 AM
- Posted Re: Field value changes for two environments on Splunk Search. 03-09-2022 08:09 AM
- Posted Re: Field value changes for two environments on Splunk Search. 03-09-2022 08:01 AM
- Posted Re: Field value changes for two environments on Splunk Search. 03-09-2022 07:20 AM
- Posted Why does my Event show as 2 years delayed? on Splunk Search. 03-09-2022 01:32 AM
- Posted How to find field value changes for two environments? on Splunk Search. 03-09-2022 12:44 AM
- Posted Field value in Notes section when creating an alert on Alerting. 09-28-2021 10:28 AM
- Tagged Field value in Notes section when creating an alert on Alerting. 09-28-2021 10:28 AM
- Posted Re: Windows EventLogs: 3 failed logins from 3 different users from same host on Splunk Search. 09-06-2021 11:52 AM
- Karma Re: Windows EventLogs: 3 failed logins from 3 different users from same host for PickleRick. 09-06-2021 11:50 AM
- Posted Windows EventLogs: 3 failed logins from 3 different users from same host on Splunk Search. 08-26-2021 04:50 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
03-14-2022
02:48 AM
Sorry that still doesn't work. At the moment the last two logs are both Prod and Stats show one event so it would still trigger an alert even though the value hasn't changed. Any ideas?
... View more
03-09-2022
09:05 AM
-2Y instead of -1h FYI to anybody else, other than that it worked! The timestamp is now showing up correctly. Thank you so much!!
... View more
03-09-2022
08:27 AM
I'm trying something simple, so to calculate the lag and add that to the one in the timestamp | eval time=strftime(_time, "%d/%m/%Y %H:%M") | eval DatabaseEventDateNew=strftime(DatabaseEventDate, "%d/%m/%Y %H:%M") doesn't work to start with. I'm happy with an eval command that works
... View more
03-09-2022
08:09 AM
That's a good point, the alerts is looking back at the last one hour so it doesn't have anything to compare to. I'll try it with 2 hours. The problem is it takes 2 hours to wait for results
... View more
03-09-2022
08:01 AM
For better visibility I'm showing in Statistics what was sent last (as we get those alerts once an hour). Looking back further I get lost of Events. As seen here there are two events per hour, one PROD, one INT but nothing changes from the last entry
... View more
03-09-2022
07:20 AM
Hi, Thanks for your response but it doesn't do anything. The previous event is PROD and the next one is INT, it still creates an incident event though the value of INT is what it always is.
... View more
03-09-2022
01:32 AM
I am looking for “failed login for ADMIN detected” but because the time in Time is two years late it doesn’t alert.
My log sample is:
I also have _time 2020-02-23T23:02:20.000+01:00
My search so far is:
index=abc sourcetype=def "Failed login for ADMIN detected"
| rex field=_raw "(?ms)(?=[^c]*(?:cs2=|c.*cs2=))^(?:[^=\\n]*=){5}(?P<DatabaseEventDate>[^ ]+)"
| stats count by duser cs1 cs2 DatabaseEventDate
This gives me a new field with the correct time:
DatabaseEventDate
23.02.2022,13:11:39
How can I correct the timestamp without changing the props file (since the basics of the search works for another use case)?
Please help!! Thanks in advance
... View more
03-09-2022
12:44 AM
There are two environments, INT and PROD. The value of IREFFECTIVEDATE in INT is always the same, as is PROD, however they have different values. I want to know when the value of IREFFECTIVEDATE in its environment changes. Here is a log sample:
2022-03-04 14:13:00.006, IREFFECTIVEDATE="2016-07-01 00:00:00.0", IRLOANRATE="5"
So far my search is this:
index= xy sourcetype=xy
| eval env = if(host=="prod1", "PROD", "INT")
| table IREFFECTIVEDATE IRLOANRATE env
| head 1
| eval single_value="IREFFECTIVEDATE : ".IREFFECTIVEDATE." | IRLOANRATE : ".IRLOANRATE." | Environment : ".env"
| fields single_value
| sort 0 _time
| streamstats current=f last(IREFFECTIVEDATE) as priorDate last(_time) as priorTime by env
| where NOT (IREFFECTIVEDATE=priorDate)
| mvcombine single_value delim="
"
| nomv single_value
Streamstats recognizes the changing value but it needs to be split by env.
Any ideas please?
... View more
09-28-2021
10:28 AM
When I create an ITSM alert and use $result.Activity$ the correct value for the "Activity" field appears in ITSM. How do I represent a field called "Start Time UTC{}"?
... View more
- Tags:
- ITSM
Labels
- Labels:
-
alert action
09-06-2021
11:52 AM
It was the dc I was missing, so thanks for your response!
... View more
08-26-2021
04:50 AM
Using Windows EventCodes I want to find 3 or more users failing to log in. So far my syntax is | stats values(user) as user count by host which looks good. Now I only want to see > 2 users from the same host. | where count > 2 counts the total, not the different values in the "user" field.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
03-20-2022
02:37 PM
|
