Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About marysan
marysan
Communicator
Member since:
06-14-2022
04-02-2024
Community Statistics
| Posts | 48 |
| Solutions | 9 |
| Karma Given | 0 |
| Karma Received | 14 |
| Member Since | 06-14-2022 |
Activity Feed
- Got Karma for Re: Splunk Rest Query to see the definitions of all dashboards ( public & private ). 08-03-2023 01:48 AM
- Got Karma for Re: How can I search using an inputlookp with wildcards and spaces?. 05-31-2023 05:42 AM
- Got Karma for Re: Is there a search that will return all changes creation, deletion of global groups?. 01-19-2023 07:55 AM
- Posted Re: How to remove fields with zero value in chart command? on Splunk Enterprise. 07-31-2022 02:50 AM
- Posted Re: remove fields with zero value in chart command on Splunk Enterprise. 07-31-2022 01:27 AM
- Posted How to remove fields with zero value in chart command? on Splunk Enterprise. 07-30-2022 01:37 AM
- Tagged How to remove fields with zero value in chart command? on Splunk Enterprise. 07-30-2022 01:37 AM
- Got Karma for Re: match field values with multivalue field. 07-19-2022 09:18 AM
- Got Karma for Re: How to match field values with multivalue field?. 07-19-2022 09:17 AM
- Got Karma for Re: How to compare and generate percentage from two lookup fields?. 07-18-2022 10:56 AM
- Posted Re: When I send the splunk search result data via webhook I am only getting only the first row, any alternative? on Reporting. 07-17-2022 05:30 AM
- Posted Re: Is there a search that will return all changes creation, deletion of global groups? on Reporting. 07-17-2022 05:25 AM
- Posted Re: How to compare and generate percentage from two lookup fields? on Splunk Search. 07-17-2022 04:30 AM
- Tagged Re: How to compare and generate percentage from two lookup fields? on Splunk Search. 07-17-2022 04:30 AM
- Posted Re: Is there any way to use all returned values under a certain field in a search? on Splunk Search. 07-17-2022 04:14 AM
- Posted Re: How to match field values with multivalue field? on Splunk Search. 07-17-2022 04:00 AM
- Tagged Re: How to match field values with multivalue field? on Splunk Search. 07-17-2022 04:00 AM
- Posted Re: match field values with multivalue field on Splunk Search. 07-17-2022 03:59 AM
- Tagged Re: match field values with multivalue field on Splunk Search. 07-17-2022 03:59 AM
- Got Karma for Re: How to create search bar that dynamically updates itself in a dashboard. 07-02-2022 05:14 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 |
07-31-2022
02:50 AM
this problem was resolved by using |stats count as count by flag, DestAddr
... View more
07-31-2022
01:27 AM
yes it doesn't work . shows nothing !
... View more
07-30-2022
01:37 AM
Hello everybody my query :
index=logarithm SrcAddr="192.168.148.1"
|eval flag=case(DestAddr="192.168.148.7" OR DestAddr="192.168.148.8" OR DestAddr="192.168.148.24" ,"LAN 1",DestAddr="192.168.148.21" OR DestAddr="192.168.148.36" OR DestAddr="192.168.148.37" ,"LAN 4" , DestAddr="192.168.148.33" OR DestAddr="192.168.148.34" OR DestAddr="192.168.148.35","LAN 5")
|chart count over flag by DestAddr useother=f usenull=f
and in trellis mode there are all DestAddrs for each flag! (as we can see in picture) but I want not to show DestAddrs with 0 values in every chart by "LAN 1" just show "192.168.148.7" or "192.168.148.8" or "192.168.148.24" by "LAN 4" just show "192.168.148.21" or "192.168.148.36" or "192.168.148.37" by "LAN 5" just show "192.168.148.33" or "192.168.148.34" or "192.168.148.35 "
... View more
- Tags:
- chart
Labels
- Labels:
-
using Splunk Enterprise
07-17-2022
05:30 AM
Hi in Edit Alert ->"Trigger Conditions" -> Trigger you must select "Once" option instead of "For each result"
... View more
index=MyIndex EventCode IN (4728,4729,4730) user=* | eval time=_time | convert ctime(time) | eval msg="A user "+user+" was "+action+" on the host "+host+" by "+src_nt_domain+"\\"+src_user+" at "+time |table msg,EventCode,action,user,signature,status
... View more
07-17-2022
04:30 AM
1 Karma
| inputlookup file1.csv | eventstats dc(Tests) as file1_tests_count | dedup file1_tests_count | inputlookup append=T file2.csv | eventstats dc(Tests) as file2_tests_count | dedup file2_tests_count | fields file1_tests_count,file2_tests_count | eval percentage=(file1_tests_count/file2_tests_count*100)
... View more
07-17-2022
04:14 AM
|mvexpand fieldA |mvexpand fieldB |eval flag=if(match(fieldA ,fieldB),1,0) OR |mvexpand fieldA |mvexpand fieldB |eval flag=if(match(fieldB ,fieldA),1,0)
... View more
07-17-2022
04:00 AM
1 Karma
|mvexpand Account |eval flag=if(match(Account,user),1,0) |search flag=0
... View more
07-17-2022
03:59 AM
1 Karma
|mvexpand Account |eval flag=if(match(Account,user),1,0) |search flag=0
... View more
- Tags:
- match
- multivalue
07-02-2022
12:33 AM
1 Karma
Hello in input settings there is a Dynamic option . you can use a report or search to show new customers . like this
... View more
06-29-2022
04:40 AM
Hi you can use mvappend command to append 3 different fields as a fields: | inputlookup CUCM_lboro_assigned_numbers_27_6_22.csv | rename DN AS phone | search NOT [ search index=cucm cdrRecordType=1 duration>0 |eval phone=mvappend(callingPartyNumber ,originalCalledPartyNumber , finalCalledPartyNumber ) |table phone] but I doubt that "search NOT" works for you !
... View more
06-28-2022
11:57 PM
Hi I suppose that you need join command for example : index=index1 abc=123-678 def=678+943 , ghi=678-123 | fields abc,def,ghi | join type=inner abc,def,ghi [| search index=index2]
... View more
06-28-2022
10:55 PM
Hi you should add append=T to tour outputlookup command |outputlookup append=T test.csv did you di that ?
... View more
06-28-2022
10:21 PM
Hi, this must work |rex field=a "stopped: "(?<pause>.*)" seconds," |where pause> 0
... View more
06-27-2022
01:16 AM
OK. if you want to follow just creation, I have a best solution for you with lookup , to recognize new correlations : 1- first run this query just 1 time, to primitive lookup update: | rest /services/saved/searches splunk_server=local count=0 | search author!="admin" AND action.correlationsearch.enabled=1 | table title,author | eval flag=1 | outputlookup test2.csv 2-then make an alert or report and define a time schedule for that with this query to recognize new correlations created during alert/report time period (all titles that there is no flag=1 for them in lookup) : | rest /services/saved/searches splunk_server=local count=0 | search author!="admin" AND action.correlationsearch.enabled=1 | table title,author | lookup test2.csv title as title output flag |search NOT flag=* | eval flag=1 | outputlookup append=T test2.csv as a result this query list for you just new correlations , for example if your time schedule is every day at 7 AM, it lists for you all correlation searches were create between yesterday 7 AM - today 7 AM
... View more
06-27-2022
12:24 AM
Hello I checked It for new rules, it shows the date of creation
... View more
06-26-2022
11:47 PM
1 Karma
Hi please put a picture or screenshot
... View more
06-26-2022
11:23 PM
Hello Im working with splunk version 7.2.3 and I suppose that this query can help you : (instead of author!= admin ypu can list your favorite authors) | rest /services/saved/searches splunk_server=local count=0 | search author!="admin" AND action.correlationsearch.enabled=1 | stats values(updated) as updated , values(action.correlationsearch.enabled) by title,author | sort - updated
... View more
- Tags:
- rest
06-26-2022
10:53 PM
Hi how many rows do your table have ? (6 rows ? or more ?) please put a screen shot hear (I think you must change Format visualization in your dashboard panel with replacing very smaller value)
... View more
06-26-2022
10:28 PM
1 Karma
you need eai:data field too : | rest /servicesNS/-/-/data/ui/views | rename eai:acl.app AS app | rename eai:acl.perms.write as dashboard-write-permission | rename eai:acl.perms.read as dashboard-read-permission | rename eai:appName as appName | rename eai:data AS data | join type=outer appName [| rest /servicesNS/-/-/apps/local | rename title AS appName | rename eai:acl.perms.read AS app-read-permission | rename eai:acl.perms.write AS app-write-permission] | table app label title dashboard-read-permission dashboard-read-permission app-write-permission app-read-permission data
... View more
06-25-2022
05:15 AM
1 Karma
| rex field=_raw "physical.memory.free="(?<physical_memory_free>.*)"M"
... View more
- Tags:
- rex
06-24-2022
11:38 PM
dear friend your query doesn't show different conditions : one hand: (process="view.exe" OR netproc_process="remotemks.exe") and the other hand (process=*) !! first condition is a subset of second condition but I suppose that this must work for your target: | eval flag=if(process="view.exe" OR netproc_process="remotemks.exe",1,0) | stats sum(returnts_bytes) as returns_bytes by site,flag
... View more
06-24-2022
10:39 PM
for _internal index for example: | rest /services/saved/searches splunk_server=local count=0 | search cron_schedule!="* *" AND search="*index=_internal*" when there is no cron schedule for a saved search, it cant execute .
... View more
- Tags:
- rest
06-24-2022
10:23 PM
1 Karma
this must work : index=firewall |lookup my_special_lookup.csv Field1 as firewall_string_field
... View more
06-24-2022
09:55 PM
this must work for you : |your code ... |search process="view.exe" OR netproc_process="remotemks.exe" | stats sum(retrans_bytes) as retrans by site
... View more
- Tags:
- stats
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
04-02-2024
09:32 PM
|
Karma from
