Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About ekmek4
ekmek4
Explorer
Member since:
09-27-2021
03-11-2025
Community Statistics
| Posts | 8 |
| Solutions | 2 |
| Karma Given | 1 |
| Karma Received | 0 |
| Member Since | 09-27-2021 |
Activity Feed
- Posted Re: Help with search query using multiple tokens and filters on Splunk Search. 03-11-2025 10:33 AM
- Posted Re: Help with search query using multiple tokens and filters on Splunk Search. 03-10-2025 01:33 PM
- Posted Re: Help with search query using multiple tokens and filters on Splunk Search. 03-10-2025 10:22 AM
- Posted Help with search query using multiple tokens and filters on Splunk Search. 03-07-2025 12:37 PM
- Tagged Help with search query using multiple tokens and filters on Splunk Search. 03-07-2025 12:37 PM
- Tagged Help with search query using multiple tokens and filters on Splunk Search. 03-07-2025 12:37 PM
- Tagged Help with search query using multiple tokens and filters on Splunk Search. 03-07-2025 12:37 PM
- Posted Re: Not able to parse json with spath ,something wrong but not json on Getting Data In. 02-26-2025 03:07 AM
- Posted Re: Not able to parse json with spath ,something wrong but not json on Getting Data In. 02-25-2025 12:44 PM
- Karma Re: Not able to parse json with spath ,something wrong but not json for ITWhisperer. 02-25-2025 12:23 PM
- Posted Re: Not able to parse json with spath ,something wrong but not json on Getting Data In. 02-25-2025 10:33 AM
- Posted Not able to parse json with spath ,something wrong but not json on Getting Data In. 02-25-2025 09:28 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 |
03-11-2025
10:33 AM
I found a right way, but i dont know how to reset search for another try. index=sysmon_wec AND (EventCode=22 OR event_id=22)
| makemv tokenizer="([^\r\n]+)(\r\n)?" User
| mvexpand User
| where NOT (User="SYSTEM" OR User="NT AUTHORITY\SYSTEM" OR User="NT AUTHORITY\NETWORK SERVICE" OR User="NT AUTHORITY\LOCAL SERVICE")
| eval proc_filter=if(len("$procname$") > 0 , 1, 0)
| eval user_filter=if(len("$user$") > 5, 1, 0)
| where (proc_filter=1 AND process_name="$procname$" AND user_filter=0) OR (proc_filter=1 AND process_name="$procname$" AND User="$user$")
| head 100
| table process_name, User, ComputerName, QueryName, QueryResults
... View more
03-10-2025
01:33 PM
I decided to use 2 tokens instead of 3. But how to use token2 (from users dropdown) only if it was chosen? index=sysmon_wec AND (EventCode=22 OR event_id=22) AND process_name="$procname$"
| makemv tokenizer="([^\r\n]+)(\r\n)?" User
| mvexpand User
| where NOT (User="SYSTEM" OR User="NT AUTHORITY\SYSTEM" OR User="NT AUTHORITY\NETWORK SERVICE" OR User="NT AUTHORITY\LOCAL SERVICE")
| head 100
| table process_name, User, ComputerName, QueryName, QueryResults But add something like this on splunk language : | if isnotnull(User) then User="$user$"
... View more
03-10-2025
10:22 AM
This looks as working example, but for some reason it doesn't work No search when textbox changed or dropdown. Filtering only if im choosing User from dropdown
... View more
03-07-2025
12:37 PM
HI, im trying to create filter for network connections. But i cannot make work few tokens in the same time. I want to create OR expression. In my head its like this: 1. search should work for if i put process_name in textfield 2. If process_name select from dropdown along with textfield - search for both processes. (process_name IN ("$token1$","$token2$")) 3. If First two are not chosen, but User from User dropdown selected => Filter by User. 4. If one or two process_name tokens used and User selected - filter by chosen proces_names and then by user. I have $procname2$ token for text field and $procname2$ for dropdown of processes. Both process_name tokens work if dropdown is selected, then search will use both dropdown token and text token. User token doesn't work at all Query for search: index=sysmon_wec AND (EventCode=22 OR event_id=22) AND ((process_name IN ("$procname$", "$procname2$") OR User IN ("$user$")) )| makemv tokenizer="([^\r\n]+)(\r\n)?" User | mvexpand User |where NOT (User="SYSTEM" OR User="NT AUTHORITY\SYSTEM" OR User="NT AUTHORITY\NETWORK SERVICE" OR User="NT AUTHORITY\LOCAL SERVICE") |dedup process_name|head 100| table process_name,User,ComputerName,QueryName,QueryResults Here is a full code of my dashboard <form version="1.1" theme="light">
<label>Find Network connections(DNS)</label>
<fieldset submitButton="false">
<input type="text" token="procname2">
<label>Enter procname:eg.opera.exe</label>
<default></default>
</input>
<input type="dropdown" token="procname" searchWhenChanged="true">
<label>Procname</label>
<fieldForLabel>process_name</fieldForLabel>
<fieldForValue>process_name</fieldForValue>
<search>
<query>index=sysmon_wec AND (EventCode=22 OR event_id=22) |dedup process_name|head 1000|table process_name</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
</input>
<input type="dropdown" token="User" searchWhenChanged="true">
<label>User</label>
<fieldForLabel>User</fieldForLabel>
<fieldForValue>User</fieldForValue>
<search>
<query>index=sysmon_wec AND (EventCode=22 OR event_id=22) | makemv tokenizer="([^\r\n]+)(\r\n)?" User | mvexpand User |where NOT (User="SYSTEM" OR User="NT AUTHORITY\SYSTEM" OR User="NT AUTHORITY\NETWORK SERVICE" OR User="NT AUTHORITY\LOCAL SERVICE") |dedup User|head 1000|table User</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
</input>
</fieldset>
<row>
<panel>
<table>
<title>process_name</title>
<search>
<query>index=sysmon_wec AND (EventCode=22 OR event_id=22) AND ((process_name IN ("$procname$", "$procname2$") OR User IN ("$user$")) )| makemv tokenizer="([^\r\n]+)(\r\n)?" User | mvexpand User |where NOT (User="SYSTEM" OR User="NT AUTHORITY\SYSTEM" OR User="NT AUTHORITY\NETWORK SERVICE" OR User="NT AUTHORITY\LOCAL SERVICE") |dedup process_name|head 100| table process_name,User,ComputerName,QueryName,QueryResults</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="drilldown">none</option>
</table>
</panel>
</row>
</form>
... View more
02-26-2025
03:07 AM
| spath path=properties | mvexpand properties | spath input=properties this works fine for me. Thank you!!
... View more
02-25-2025
12:44 PM
index=ep_log event=created | spath path=properties | mvexpand properties | spath input=properties This query automatically expand fields with every attribute key.
... View more
02-25-2025
10:33 AM
Now i have a new field "attributes" attributes: {"email": "gacilia@gmail.com", "clients": {"ERP Frontend": "GEgzvJrIJxxHNS9FVdSvUej5wyrBgd2sSHH7RLuE", "Frontend CRM": "ILrkYrSCSsKgdgxBRv0COxKLaOzKufXogzWEAoh8"}, "is_active": false, "last_name": "Gac", "legacy_id": "66f510fea8f5e1ff130f5fa0", "first_name": "Ilia", "start_date": null, "is_team_supervisor": true, "two_factor_auth_enabled": false}
... View more
02-25-2025
09:28 AM
Hi, I need to ingest some logs into splunk, so file&dirs data input its my choice. Also new index was created , _json as sourcetype. Now im trying to use spath in search to parse JSON data with multifields and no luck yet. Just checked my json file - valid json. Here we have some parsed json, but i want to get email, first_name,last_name from properties.attributes to be able parse or filter by any of this fields in future Appreciate any help. Small source file: https://paste2.org/OsEXkgbJ Here is what i tried : index=ep_log event=created | spath properties.attributes index=erp_log event=created | spath properties and so on
... View more
Labels
- Labels:
-
JSON
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
03-11-2025
06:59 PM
|
