×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Icecream123
Explorer
Member since: ‎04-12-2022
‎06-29-2023
Community Statistics
Posts 3
Solutions 1
Karma Given 0
Karma Received 0
Member Since ‎04-12-2022
Activity Feed
Topics I've Started
No posts to display.
View All

Re: customized Fields

by in Getting Data In
‎04-04-2023 02:41 AM
‎04-04-2023 02:41 AM
Hi, You can try to perform regex on the field to get the required values from the field. The below if a sample regex to extract the loglevel or teamName or ID. (need to optimize further accordingly.) |rex field=_raw ""logLevel":"(?<loglevel>\S*)","ID":"(?<ID>\S*)","teamName":"(?<teamname>\w*)"  If the message field is already extracted you can try: |rex field=message ""logLevel":"(?<loglevel>\S*)","ID":"(?<ID>111111)","teamName":"(?<teamname>\w*)"   Hope this is what you are looking to do! ... View more

Re: Multiple sourcetypes with where condition

by in Splunk Search
‎04-04-2023 02:11 AM
‎04-04-2023 02:11 AM
Glad to help! ... View more

Re: Multiple sourcetypes with where condition

by in Splunk Search
‎04-04-2023 02:05 AM
‎04-04-2023 02:05 AM
Hi, This query works for me to get all the values of more than 7. I reassign the name of "values(cvs) as cvs" before performing the where command. index=security sourcetype=EDR:* | eval dest=coalesce(ip,ipaddress) | stats values(sourcetype) as sourcetype values(cvs) as cvs values(warning) as warning values(operating_system) as operating_system values(ID) as ID by dest | where cvs>7   These are all the values after the stats.   after |where >7   Hope this was what you were looking to do! ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-29-2023 02:58 AM