hi all, i have this logs which i am interested in know if there is a agent restarted after certain period when the agent got stop   index=unix sourcetype=syslog centrifyEventID=17000    Centrify agent (adclient) started centrifyEventID=17002    Centrify agent (adclient) stopped      can help to to construct the query to search to if the agent got started within 10mins after the agent got stop ... View more

Hi all, I have a inputlookup file named as leavers.csv which ill be automatically update this file contain the userID   I will need to use the userID and retrieve the user email from index=zscaler from there i will need to search in the index=exomsgtrace to determine if there is any outbound email from the users listed in the leavers.csv   Can i get your help to construct all the requirement into a single query. ... View more

hi, i a total newbie i need to do a search in splunk matching the domain in my lookup table (master_lookup.csv) my table have the columns indicators, published_date , last_update, labels my index is below ((index=bcoat_logs AND sourcetype=bluecoat:proxysg:access:file ) OR (index=nanolog_906062_zscaler AND sourcetype=zscalernss-web)) how do i have the output when it match the indicators my desired output will include _time, indicators, published_date , last_update, labels ... View more

hi all, i would like to ask if it is possible to include IF condition in the search query   if msg="Security Agent uninstallation*" [perform the below] | rex field=msg ":\s+\(*(?<result>[^)]+)" | table _time msg result   if msg="Security Agent uninstallation command sent*" [perform the below] | rex field=msg "^[^;\n]*;\s+\w+:\s+(?P<endpoint>.+)" | table _time msg suser endpoint ... View more