×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
NewGhost
Engager
Member since: ‎12-27-2021
‎06-23-2022
Community Statistics
Posts 5
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎12-27-2021
View All

Re: How to use the second index to search missing ...

by in Splunk Search
‎06-20-2022 07:44 AM
‎06-20-2022 07:44 AM
I realize my question is too confusing and I probably need to test my queries some more. I just tried to understand how to do the join correctly, and I think if I only want certain fields to show in the end I just put |table at the end. ... View more

Re: How to use the second index to search missing ...

by in Splunk Search
‎06-20-2022 05:32 AM
‎06-20-2022 05:32 AM
They both have ComputerName field. I'll try using the bin too, thanks. My ultimate goal is to have the number of detections for ComputerNames over time, so I'll probably have to use the timechart, but I'm not even there yet. This was just me starting to combine all the information together. ... View more

How to use the second index to search missing fiel...

by in Splunk Search
‎06-17-2022 11:19 AM
‎06-17-2022 11:19 AM
Please see this search - i'm trying to add missing field values from another index to this search.   index=1 earliest=-9d latest=now ExternalApiType=Event_DetectionSummaryEvent | fillnull | stats values(ComputerName) AS ComputerName values(DetectName) AS DetectName values(UserName) AS User values(event_platform) AS Platform values(FileVersion) AS SensorVersion P values(MachineDn) AS OU values(SiteName) AS SiteName count(_time) AS count BY _time EventUUID | sort 0 - _time | eval Time=strftime(_time, "%m/%d/%Y %H:%M:%S") | appendcols [ search earliest=-9d latest=now index=json "AuditKeyValues{}.Key"=new_state "AuditKeyValues{}.ValueString"=* | spath | spath AuditKeyValue{} ]   Index=1 has fields ComputerName, DetectName, UserName, _time, EventUUID index=main has fields event_platform, FileVersion, MachineDn, SiteName   I want to pull the fields from index=main into the stats command of the index=1. I thought  it's as simple as adding the index=main at the beginning of the search with an OR: (index=json ExternalApiType=Event_DetectionSummaryEvent) OR (index=main FileVersion=*). But it's not working. I have to have the ExternalApiType value and it's only in the first index. I also tried join with the subsearch, but it didn't work. The original search is for 90 days, so I shouldn't use a subsearch anyways. Thank you. ... View more
Labels

Re: How to count events based on a user name, not ...

by in Splunk Search
‎02-17-2022 06:19 AM
‎02-17-2022 06:19 AM
That's it. Thanks ... View more

How to count events based on a user name, not the ...

by in Splunk Search
‎02-17-2022 06:04 AM
‎02-17-2022 06:04 AM
Hi, I'm struggling with a simple search. I have multiple events for the same username. I need to count the number of usernames that appeared in those events. I start with just 1 day when there should be only 1 username. But this search returns the count of 7, because it counts events, not usernames, even though I put the username field in the count command: index=* policy_name=* | stats count(username)   I tried adding dedup before stats, but it didn't do anything. What am I missing, please?   Thanks, Alina   ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎06-23-2022 12:42 PM