Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About Jackiifilwhh
Jackiifilwhh
Path Finder
Member since:
10-09-2021
01-09-2023
Community Statistics
| Posts | 30 |
| Solutions | 0 |
| Karma Given | 5 |
| Karma Received | 1 |
| Member Since | 10-09-2021 |
Activity Feed
- Posted Re: How can I get the last index of my target value for a multi-value field ? on Splunk Search. 01-09-2023 04:25 AM
- Posted Re: How can I get the last index of my target value for a multi-value field ? on Splunk Search. 01-09-2023 04:17 AM
- Posted Re: How can I get the last index of my target value for a multi-value field ? on Splunk Search. 01-04-2023 08:33 AM
- Posted Re: How can I get the last index of my target value for a multi-value field ? on Splunk Search. 01-04-2023 07:55 AM
- Posted Re: How can I get the last index of my target value for a multi-value field ? on Splunk Search. 01-04-2023 07:55 AM
- Posted How can I get the last index of my target value for a multi-value field ? on Splunk Search. 01-03-2023 04:19 AM
- Tagged How can I get the last index of my target value for a multi-value field ? on Splunk Search. 01-03-2023 04:19 AM
- Tagged How can I get the last index of my target value for a multi-value field ? on Splunk Search. 01-03-2023 04:19 AM
- Karma Re: How to get the new errors that don't appear yesterday? for ITWhisperer. 04-30-2022 01:50 AM
- Got Karma for Re: How can I search abnormal user behaviour?. 04-25-2022 04:53 PM
- Posted Re: How to get the new errors that don't appear yesterday? on Splunk Search. 04-25-2022 08:40 AM
- Posted Re: How to get the new errors that don't appear yesterday? on Splunk Search. 04-25-2022 07:58 AM
- Posted How to get the new errors that don't appear yesterday? on Splunk Search. 04-25-2022 07:36 AM
- Posted Re: How can I search abnormal user behaviour? on Splunk Search. 04-25-2022 06:15 AM
- Posted Re: How can I search abnormal user behaviour? on Splunk Search. 04-14-2022 08:55 AM
- Posted Re: How can I search abnormal user behaviour? on Splunk Search. 04-14-2022 07:51 AM
- Posted Re: How can I search abnormal user behaviour? on Splunk Search. 04-13-2022 05:40 PM
- Posted How can I search abnormal user behaviour? on Splunk Search. 04-13-2022 09:02 AM
- Tagged Alter when a user's behavior is abnormal on Alerting. 04-13-2022 07:58 AM
- Posted Alter when a user's behavior is abnormal on Alerting. 04-13-2022 07:00 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
01-09-2023
04:25 AM
Thanks a lot! Actually, a customer could pay for some thing for many times, so the field "chain" in Splunk will consist of several "PayForIt". I need to check the every part of it, which split by "PayForIt". I also need to get the last index of "SendMessage" or "CheckMessage" before every "PayForIt". It seems that "mvfind" won't work properly, because it doesn't get the last but the first index.
... View more
01-09-2023
04:17 AM
Thanks a lot! I've tried this command, it works well! But when a customer pay for something several times, the filed "chain" in Splunk will contain several "PayForIt". It seems that I split "chain" into several parts by "PayForIt" and check the value in every part, which would work! If it is a Java program, I will iterate the multifield or a string to check every part, but how can I make it in Splunk?
... View more
01-04-2023
08:33 AM
Well, let me describe the generation of field "chain". A user's access to my system is based on a unique session_ id(same name's field in Splunk). And the whole access can be divided into many transactions, named trans_id in Splunk. So I can use the command below to get a user's path of transactions in time order, which named "chain". stats count by session_id trans_id _time
| eval lux=_time+"|"+trans_id
| stats values(lux) as chain by session_id
| eval chain=mvmap(chain,mvindex(split(chain,"|"),1)) Above is the process of generating field "chain". In a word, I want to find the abnormal event, which means that the order is incorrect or the value is incomplete. Just like a customer must be verified by SMS before pay something. Thanks a lot!
... View more
01-04-2023
07:55 AM
Thank you! I've modified my question, it seems that I can't expand chain to a single value field!
... View more
01-04-2023
07:55 AM
Thank you! I've modified my question, it seems that I can't expand chain to a single value field!
... View more
01-03-2023
04:19 AM
I want to get the last index of my target value for a multi-value field. For example, id chain 1 SendMessage CheckMessage PayForIt 2 CheckMessage SendMessage CheckMessage PayForIt 3 PayForIt SendMessage CheckMessage PayForIt 4 SendMessage PayForIt CheckMessage If "PayForIt" appears, meanwhile "SendMessage" and "CheckMessage" appears before it, this is a normal event. But if "SendMessage" or "CheckMessage" don't appear, or after "PayForIt", it is a abnormal event. It means you must send message and be verified by SMS before you pay for something! The id 1, 2 and 3 above are normal, 4 is abnormal. I've tried mvfind like below, but it will treat 2, 3 as abnormal event! eval send=mvfind(chain,"SendMessage")
| eval check=mvfind(chain,"CheckMessage")
| eval pay=mvfind(chain,"PayForIt")
| where isnotnull(pay) and isnotnull(check) and isnotnull(send) and pay>check and check>send
... View more
- Tags:
- multivalue
- mvfind
Labels
- Labels:
-
eval
04-25-2022
08:40 AM
What you have benefited me deeply is your train of thought! It seems work well! Finally I want ask you a question: why don't you recommend me to use relative_time(). Is it inefficient? It's convenient to compare two time span.
... View more
04-25-2022
07:58 AM
you will need to set up day and today Does it use relative_time()?
... View more
04-25-2022
07:36 AM
Hi everyone! We want to get the new errors that don't appear yesterday. For example, if an action named A. Its yesterday's error codes are A1, A2, A3. But its today's error codes are A1, A2, A4, A5. A4 and A5 are new errors. The fields we use in Splunk is below: application: the name of an application
transId: the name of an action in our system
errorCode: the error code of an action once an exception occurred The result we want to get for the example above is like below: application transId errorCode exp A A4 exp A A5 I've tried subsearch but it doesn't work well! Subsearch will be auto-finalized after 60s!
... View more
04-25-2022
06:15 AM
1 Karma
Thanks a lot! Finally I fix it! The core command is | eval lux=_time+"|"+transId
| stats values(lux) as transChain by ... The key is to make it unique by combining _time and trnasId together.
... View more
04-14-2022
08:55 AM
Thank you so much! Could you tell me the name of the product you mentioned above and maybe I can take a brief look at it. And I will try streamstats , think like you said.
... View more
04-14-2022
07:51 AM
Thank you so much! It's so close to the result that we want when I use list(). It can work well when the size is less than 100. But we have many scenarios where the number of results is greater than 100. Maybe we can use values() further to judge if it is abnormal when we reach the limit of list() . But I still want to know if there is a solution that can fix the problem perfectly?
... View more
04-13-2022
05:40 PM
Thanks a lot! I will try these command and think like this. But the length of sequence of actions is not fixed. We want to find the result when action D appears, it must have A B C before D, but the whole action-chain can be Z X C A B C D G J L I. If there a command can transfer all transId field into a string or other value by globalsessionId and uid, maybe it works!
... View more
04-13-2022
09:02 AM
Background information In our system, every visit consists of one or more actions. Every action has its own name and in Splunk it's a field named "transId". Every time an action is triggered, it has a unique sequence and in Splunk it's a field named "gsn". A customer has his unique id and in Splunk it's a field named "uid". During the period of a customer visit our system, he has a unique session id and in Splunk it's a field named "sessionId". If we want to locate a complete operation of a user, we need to use uid and sessionId together. Like many other systems, the order of actions in our system is fixed, under normal circumstances. What we want We want to create an alter to monitor the abnormal order of actions. For example, an important action named "D", it is at the end of an action-chain. Under normal circumstances, you must access our system by the order of actions "A B C D". But some hackers may skip the trans B, which may be an action that verify his identity. The problem is that I don't know the command to get abnormal results. We can accept that we need to input the order of actions for every action-chain. It's better to read the order by configuration file. What I've tried | stats count by sessionId uid transId gsn _time
| sort 0 sessionId uid _time I can get every use's order of actions by this command. Can you give me some advice? If you want to get more information, you can ask me here. Best wishes!
... View more
Labels
- Labels:
-
eval
-
field extraction
-
regex
-
rex
-
stats
04-13-2022
07:00 AM
Background information In our system, every visit consist of one or more actions. Every action has its name and in Splunk it's a field named "transId". Every time an action triggered, it has an unique sequence and in Splunk it's a field named "gsn". A customer has its unique id and in Splunk it's a field named "uid". During the period of a customer visit our system, he has an unique session id and in Splunk it's a field named "sessionId". If we want to locate a complete operation of a user, we need to use uid and sessionId together. Like many other systems, the order of actions in our system is fixed, under normal circumstances. What we want We want to create an alter to monitor the abnormal order of actions. For example, an important action named "D", it is at the last of an action-chain. Under normal circumstances, you must access our system by the order of actions "A B C D". But some hackers my skip the trans B, which may be an action that verify his identity. The problem is I don't know the command to get abnormal results. We can accept that we need to input the order of actions for every action-chain. It's better to read the order by configuration file. What I've tried | stats count by sessionId uid transId gsn _time
| sort 0 sessionId uid _time I can get every use's order of actions by this command. Can you give me some advice? If you want to get more information, you can ask me here. Best wishes!
... View more
Labels
- Labels:
-
alert action
-
alert condition
-
other
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
01-09-2023
08:15 AM
|
