×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
thx
Explorer
Member since: ‎05-04-2022
‎08-31-2024
Community Statistics
Posts 5
Solutions 0
Karma Given 3
Karma Received 3
Member Since ‎05-04-2022
Activity Feed
View All

Re: How to check who has updated a lookup

by in Splunk Search
‎09-04-2024 09:21 AM
1 Karma
‎09-04-2024 09:21 AM
1 Karma
you might be able to narrow down which users were on the system at the time (also any searches that might have done it even if scheduled) by running   index=_audit login attempt | table _time user   you might have  a lot of "internal_observability" user hits that you can exclude, but then it should be broken down into actions of success or search, the search should show if any user had an outputlookup mess up the lookup file, and any of the success should just be people logging in/opening a new tab.  It might not be a smoking  gun but it will narrow down who could have  done it. ... View more

Re: How to check who has updated a lookup

by in Splunk Search
‎09-03-2024 08:26 AM
1 Karma
‎09-03-2024 08:26 AM
1 Karma
you can use this search to look for any lookup edits that were logged to the _internal log index=_internal "Lookup edited*" sourcetype=lookup_editor_rest_handler | table _time namespace lookup_file user It will output the time it was saved, the app/namespace it was in, the filename and the user that saved it ... View more

Re: alternative to join that works with wildcards ...

by in Splunk Search
‎08-30-2024 01:49 PM
‎08-30-2024 01:49 PM
Thanks, that looks like its doing exactly what I was looking to replicate with my join from my older SPL that had fixed values in  the lookup file. ... View more

Re: Need help with a regex please. (Defining an ac...

by in Splunk Search
‎08-30-2024 10:44 AM
1 Karma
‎08-30-2024 10:44 AM
1 Karma
try something like... | rex field=_raw ".*\/rest\/(?<ActionTaken>\w+)" ... View more

alternative to join that works with wildcards in l...

by in Splunk Search
‎08-30-2024 10:18 AM
‎08-30-2024 10:18 AM
I  am trying to use a lookup of "known good" filenames that are within FTP transfer logs, to add extra data to files that are found in the logs, but also need to show  when files are not found in the logs, but expected. The lookup has a lookup definition defined, so that FileName can contain wildcards, and this works for matching the wildcarded filename to  existing events, with other SPL. lookup definition with wildcard on FileName for csv: FTP-Out FileName Type Direction weekday File1.txt fixedfilename Out monday File73*.txt variablefilename Out thursday File95*.txt variablefilename Out friday   example events: 8/30/24 9:30:14.000AM FTPFileName=File1.txt Status=Success Size=14kb 8/30/24 9:35:26.000AM FTPFileName=File73AABBCC.txt Status=Success Size=15kb 8/30/24 9:40:11.000AM FTPFileName=File73XXYYZZ.txt Status=Success Size=23kb 8/30/24 9:45:24.000AM FTPFileName=garbage.txt Status=Success Size=1kb current search (simplified): | inputlookup FTP-Out | join type=left FileName [ search index=ftp_logs sourcetype=log:ftp | rename FTPFileName as FileName] results I get: 8/30/24 9:30:14.000AM File1.txt fixedfilename Out monday Success 14kb File73*.txt variablefilename Out thursday File95*.txt variablefilename Out friday desired output: 8/30/24 9:30:14.000AM File1.txt fixedfilename Out monday Success 14kb 8/30/24 9:35:26.000AM File73AABBCC.txt variablefilename Out thursday Success 15kb 8/30/24 9:40:11.000AM File73XXYYZZ.txt variablefilename Out thursday Success 23kb File95*.txt variablefilename Out friday Essentially I want the full filename and results for anything the wildcard in the lookup matches, but also show any time the wildcard filename in the lookup doesn't match an event in the  search window. I've tried various other queries with append/appendcols and transaction and the closest I've gotten  so far is still with the left join, however that doesn't appear to join with wildcarded  fields from a lookup. It also doesn't seem that the where  clause with a join off a lookup  supports like() I'm hoping that someone else might have an idea on how I can get the  matched files as well as missing files in  an  output similar to my desired output above. This is within a splunkcloud deployment not  enterprise. ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎08-31-2024 01:32 PM
Karma from
Karma given to
View All