Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About hillsmtb7
hillsmtb7
Explorer
Member since:
04-01-2022
05-25-2022
Community Statistics
| Posts | 13 |
| Solutions | 0 |
| Karma Given | 1 |
| Karma Received | 0 |
| Member Since | 04-01-2022 |
Activity Feed
- Posted How to remove quotes from Inputlookup? on Splunk Enterprise. 05-25-2022 10:08 AM
- Posted Re: Receive Delta from two different sources on Splunk Enterprise. 05-24-2022 02:12 PM
- Posted Re: Receive Delta from two different sources on Splunk Enterprise. 05-24-2022 12:10 PM
- Posted Re: Receive Delta from two different sources on Splunk Enterprise. 05-24-2022 11:57 AM
- Posted Re: Receive Delta from two different sources on Splunk Enterprise. 05-24-2022 10:25 AM
- Posted Re: Receive Delta from two different sources on Splunk Enterprise. 05-24-2022 09:11 AM
- Posted Re: Receive Delta from two different sources on Splunk Enterprise. 05-24-2022 08:30 AM
- Posted Re: Receive Delta from two different sources on Splunk Enterprise. 05-24-2022 07:54 AM
- Posted How to receive delta from two different sources? on Splunk Enterprise. 05-24-2022 07:15 AM
- Posted Re: Why is Splunk search returning additional results not specified in Lookup table? on Splunk Search. 04-01-2022 12:47 PM
- Karma Re: Why is Splunk search returning additional results not specified in Lookup table? for somesoni2. 04-01-2022 12:45 PM
- Posted Re: Splunk search returning additional results not specified in Lookup table on Splunk Search. 04-01-2022 11:40 AM
- Posted Re: Splunk search returning additional results not specified in Lookup table on Splunk Search. 04-01-2022 11:38 AM
- Posted Why is Splunk search returning additional results not specified in Lookup table? on Splunk Search. 04-01-2022 09:46 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 |
05-25-2022
10:08 AM
Hey All,
I have the following issue. There is a lookup table I am using within a query in where some items are returned with quotes and some are not. I have the following query and I need to ensure all the results are returned without quotes.
My final query looks as follows:
I know these quotes are causing issues with my final lookups. Any help is greatly appreciated.
... View more
Labels
- Labels:
-
using Splunk Enterprise
05-24-2022
02:12 PM
We might be getting closer. Why are we placing the following: values(*) as *
... View more
05-24-2022
12:10 PM
I wont try index B cause there is no data there for that PC, but in index A I attempted the following: index=A | where name="PC3" (Results: Computer appears) But when I search as follows: index=A | where name="pc3" (Results: Computer does not appear) It is case sensitive at the where. I thought it was case insensitive throughout. Where do I change the case?
... View more
05-24-2022
11:57 AM
Well that's exactly not true as PC3 does exist on the first index just not in the second one when searched individually. Index A Index B
... View more
05-24-2022
09:11 AM
I have tried the first suggestion you provided. Then on the rename of the filed I tried the following: (index="A" ) OR (index="B" sourcetype="B.1") | rename cname as name | stats value(*) as * values(index) as index by name | where mvcount(index)=1 AND index="A" Just for clarity, I have ran the index independently and receive the following for PC3: index="A" name=PC3 (Results: PC3 appears in the list for the past 30 days) index="B" sourcetype="B.1" cname=PC3 (Results: PC3 does not appear for the past 30 days.) Need only the machines that show up in index A and not in index B to display.
... View more
05-24-2022
07:54 AM
That did not work. It returns 0 results and when we run the indexes independently index A shows PC3 and index B does not contain PC3. Could it be an issue with the filed names being different for the computer names?
... View more
05-24-2022
07:15 AM
We are trying to output computers that appear in index A but not appear in Index B. We want to ensure computers are being deployed with the correct software on them.
Index A ---------------------------------------------------- | name | objectclass | field 1 | field 2 | field 3 | ---------------------------------------------------- | PC 1 | computer | x | x | x | | PC 2 | computer | x | x | x | | PC 3 | computer | x | x | x | | PC 4 | computer | x | x | x | | PC 5 | computer | x | x | x | | PC 6 | computer | x | x | x |
Index B ---------------------------------------------------- | cname | objectclass | field 1 | field 2 | field 3 | ---------------------------------------------------- | PC 1 | computer | x | x | x | | PC 2 | computer | x | x | x | | PC 5 | computer | x | x | x | | PC 6 | computer | x | x | x |
I need the output to only show PC 3 and 4 so this can be supplied to the proper team to install the application. I have tried join with type left and outer. Also I have attempted stats. However, I believe my logic is wrong.
Your help is greatly appreciated.
... View more
Labels
- Labels:
-
using Splunk Enterprise
04-01-2022
12:47 PM
somesoni2 - Great Job....This worked. Thank you!!!
... View more
04-01-2022
11:40 AM
AD_Group_4, AD_Group_5, AD_Group_6, are not part of the list but show up because AD_Group is part of the lookup table.
... View more
04-01-2022
11:38 AM
Group_Name AD_Group AD_Group_2 AD_Group_3 AD_Group_Addon AD_Group_Test AD_Group_Watch This is the lookup table example. The issue is with the first group since it brings back results for row 2 and 3 correctly, but also other groups that meet the beginning criterion "AD_Group" but are not part of the list. My search without the first group produce 29 entries for the past 30 days; and correctly so. But if I were to add the first line to the Lookup table, 800+ entries return because of the derivatives of the first part AD_Group.
... View more
04-01-2022
09:46 AM
I have a query to search particular event id's from Active Directory and see what Targets these apply to. Instead of listing 100 different AD groups, I chose to use a lookup table. My query is as follows:
index=<index name> EventID IN (4728,4729) TargetUserName IN
[| inputlookup Test_Splunk_Lookup_Table_v2.csv
| return 200 "$Group_Name"]
| eval EventID=case(EventID=="4728","Added",EventID=="4729","Removed")| rename Computer AS "Domain Controller",TargetUserName AS "Group",EventID AS "Action"| table "_time","SubjectUserName","Action","MemberName","Group","Domain Controller"
The search works well as long as the Group Names in the lookup tables are unique. But if there is an entry in the lookup table that has derivatives(i.e. AD_Group), it returns all the derivatives also instead of what is in the lookup table only.
EX. Lookup Table
Group_Name column contains "AD_Group", "AD_Group_1", "AD_Group_2"
The search returns all the above groups plus additional groups not in the lookup table; AD_Group_3, AD_Group_4, etc...
I need to know how I can just return the entries in the list and not the derivatives of AD_Group.
... View more
