Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About vgiri8
vgiri8
Path Finder
Member since:
05-23-2022
02-28-2023
Community Statistics
| Posts | 19 |
| Solutions | 0 |
| Karma Given | 9 |
| Karma Received | 0 |
| Member Since | 05-23-2022 |
Activity Feed
- Posted Re: How can I create a Splunk alert that posts in Slack channel and has a user group (example: @team) so a badge appears on All Apps and Add-ons. 09-14-2022 11:28 PM
- Karma Re: Alert needs to be configured if there is no logs for an index for gcusello. 09-14-2022 02:31 PM
- Karma Re: Removing duplicates vs removing all data that match our criteria and and re-indexing the file. for gcusello. 08-26-2022 04:30 AM
- Karma Re: How to check that a field value is unchanged in last two day or if possible two business days? for yuanliu. 08-26-2022 03:36 AM
- Posted Re: How to check that a field value is unchanged in last two day or if possible two business days? on Splunk Search. 08-25-2022 12:54 AM
- Posted Re: How to check that a field value is unchanged in last two day or if possible two business days? on Splunk Search. 08-24-2022 06:04 AM
- Posted Re: Latest data within a time span. I have a query as below, but I would like to get the latest data for a field within on Splunk Search. 08-12-2022 07:35 AM
- Karma Re: Latest data within a time span. I have a query as below, but I would like to get the latest data for a field within for ITWhisperer. 08-12-2022 07:35 AM
- Karma Re: Latest data within a time span. I have a query as below, but I would like to get the latest data for a field within for ITWhisperer. 08-12-2022 07:35 AM
- Posted Re: Latest data within a time span. I have a query as below, but I would like to get the latest data for a field within on Splunk Search. 08-12-2022 03:46 AM
- Posted Re: Latest data within a time span. I have a query as below, but I would like to get the latest data for a field within on Splunk Search. 08-12-2022 03:22 AM
- Karma Re: Latest data within a time span. I have a query as below, but I would like to get the latest data for a field within for ITWhisperer. 08-12-2022 03:17 AM
- Posted Re: Latest data within a time span. I have a query as below, but I would like to get the latest data for a field within on Splunk Search. 08-12-2022 03:06 AM
- Posted Re: Latest data within a time span. I have a query as below, but I would like to get the latest data for a field within on Splunk Search. 08-12-2022 03:04 AM
- Posted Re: Latest data within a time span. I have a query as below, but I would like to get the latest data for a field within on Splunk Search. 08-12-2022 02:56 AM
- Posted Re: Latest data within a time span. I have a query as below, but I would like to get the latest data for a field within on Splunk Search. 08-12-2022 02:42 AM
- Posted Re: Latest data within a time span. I have a query as below, but I would like to get the latest data for a field within on Splunk Search. 08-12-2022 02:33 AM
- Posted Re: How to check that a field value is unchanged in last two day or if possible two business days? on Splunk Search. 08-12-2022 02:26 AM
- Posted How to create a query as below, but I would like to get the latest data for a field within span? on Splunk Search. 08-12-2022 01:27 AM
- Posted Re: How to check that a field value is unchanged in last two day or if possible two business days? on Splunk Search. 08-11-2022 04:34 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 |
09-14-2022
11:28 PM
For the userid use below steps to get the id, it is not same as channelID. You need to get the memberID https://api.slack.com/reference/surfaces/formatting#mentioning-users
... View more
08-25-2022
12:54 AM
Hi @yuanliu, I tried as you mentioned but the number host is now only one, compared to many host in the last query. Please find attached screenshot of current output. Time range is took is same for both old and new query(without the bin _time)
... View more
08-24-2022
06:04 AM
@yuanliu I have attached the screenshot of (a single host, as an example) for the result I am getting if I use the below query, If I had the rest of the query, I do not get any results. We are getting the data once per day. index=my_index sourcetype=my_sourcetype isDecommissioned="false" isUninstalled="false" | bin span=1d _time | stats min(_time) as start max(_time) as end by host _time threatRebootRequired | where threatRebootRequired == "true"
... View more
08-12-2022
07:35 AM
Thank you so much @ITWhisperer
... View more
08-12-2022
03:46 AM
Hi @ITWhisperer , Finally seeing data as required. I had few questions, I feel to do this, so that I only get single count per host, since I could have multiple entries in a week for the same host, if I use "count by _time" | stats count by _time site replace it with | stats dc(host) by site your thoughts
... View more
08-12-2022
03:22 AM
Yes you are correct. I have one last question, how do I change the week to more readable format from current in the screenshot. I can do eval, but where do I add it in the query?
... View more
08-12-2022
03:06 AM
I am trying to get a trend chart per site per week, for all host which had encryption=false within a given week. Basically trying to see the trend and check if we are improving week by week in encryption=false, basically needs to reduce. I am sorry If I was not clear before.
... View more
08-12-2022
03:04 AM
index=my_index encrypted=false | timechart span=1w estdc(host) by site How do I get the latest encrypted data which is false , removing encrypted=false from the main search.
... View more
08-12-2022
02:56 AM
Hi @ITWhisperer , I am still looking for trend chart to show, thats why I am using timechart with the count of host per site per week
... View more
08-12-2022
02:42 AM
I currently use this to get the data for list of host, this query only gives me the latest data of host. index=my_index | stats latest(encrypted) AS Encrypted BY host | where Encrypted="false"
... View more
08-12-2022
02:33 AM
Hi @ITWhisperer , I am searching for encrypted=false. So changing the below example to reflect that ( Sorry for the confusion in the Original post) If I add. // where encrypted="false". // early in the query, search will only look for encrypted=false and not the latest results for a given host, which could change within the span time frame(span=1w) and then I would get the count of the host which have encrypted= false, but that is not correct count. I mean I would get the results for all encrypted=false within the span but not the latest state within the time frame.
... View more
08-12-2022
02:26 AM
Hi @yuanliu , I worked on the query you shared, but I am getting data as below, I would like to sort by computerName and I am using span=1d here. When I add the last part of the query (where threatRebootRequired == "true" and now() - end < 300 and now() - start > 2*86400) I do not get any results. Please find the attached screenshot
... View more
08-12-2022
01:27 AM
Latest data within a time span. I have a query as below, but I would like to get the latest data for a field within span of 1w.
index=my_index | timechart span=1w estdc(host) by site
I would like to get the latest data for field "encrypted=false" within the span=1w for all host by site Edit: encrypted=false changed from true
Edit 2: Summary of What I am trying to get as clearly articulated by @ITWhisperer "So my guess was right - this is what the search is basically doing
For each week, it gets the latest encryption state for each host on each site
Then keeps only those statistics where the state is false
Then counts to events (one for each host with encryption false for that week) by week and site"
Finally, it reorganises the data into chart format.
... View more
Labels
- Labels:
-
timechart
08-11-2022
04:34 AM
index=my_index sourcetype=my_sourcetype isDecommissioned="false" isUninstalled="false" | stats max(_time) as _time latest(threatRebootRequired) as status by host | eval now=now() | convert ctime(now) as day_of_week timeformat="%w" | eval day_of_week_variable=case(day_of_week=0 OR day_of_week=1, 2,day_of_week=6 or day_of_week=2,1,1=1,0) | eval day_age_of_last_message=((now()-_time)/60/60/24-day_of_week_variable) | eval reboot_required=if(day_age_of_last_message>2,"threatRebootRequired=true", "threatRebootRequired=false") | eval day_age_of_last_message=((now()-_time)/60/60/24-day_of_week_variable). //in this eval a open braces was missing, which I have added now. | eval reboot_required=if(day_age_of_last_message>2 AND status = true,"reboot required", "not required") //What I am supposed to give here, still I do not get the desired results of only showing results >2. I have also added status= true, to remove messages which are older than 2 days but do not require reboot. I would like to have the data compared with older logs to check, if the reboot required is still true since last two days.
... View more
08-03-2022
02:13 AM
I am checking for reboot required, if yes, since how long is the status unchanged from reboot required yes. Logic I am waiting for atleast 2 business days before I send alert to user to reboot his machine. Thank you so much for you help. I did check an answer but did not get it. https://community.splunk.com/t5/Splunk-Search/Get-data-from-the-last-2-business-days/m-p/539517
... View more
Labels
- Labels:
-
other
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
02-28-2023
11:26 PM
|
Karma given to
