×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Codyy_Fast
Explorer
Member since: ‎09-12-2022
‎11-28-2024
Community Statistics
Posts 4
Solutions 0
Karma Given 1
Karma Received 0
Member Since ‎09-12-2022
View All

Re: Search results differ between real-time search...

by SplunkTrust in Deployment Architecture
‎11-27-2024 02:43 PM
‎11-27-2024 02:43 PM
Using transaction is rarely a good solution, as it has numerous limitations and results will silently disappear, as you have noticed. It seems you're looking for the same msg within a 5 minute window, that has a syscall and not from certain comm types, but given that audit messages are typically time based, can you elaborate on what you're trying to do here. You are asking Splunk to hold 5 minutes of data in memory for every msg combination, so if your data volume is large then lots of those combinations will get discarded. Whenever you use transaction, you should filter out as much data as possible before you use it. Can you give an example of what groups of events you are trying to collect together - the stats command is generally a much better way of doing this task and does not have limitations. Also, note that sort by date is not valid SPL as "by" is treated here as a field and not a command word - just use sort date     ... View more

Re: Collecting Logs Windows Servers and Windows Do...

by SplunkTrust in Getting Data In
‎08-21-2023 11:55 PM
‎08-21-2023 11:55 PM
Hi @Codyy_Fast, using the table command you have all the (e.g.) 4625 events, you can also group them using the stats command: index=Wineventlog sourcetype=wineventlog source::WinEventLog:Security (EventCode=4625 OR EventCode=4740) | eval Benutzerkonto = coalesce(Kontoname, Account_Name) | eval Meldung = coalesce(Fehlerursache, Failure_Reason) | eval IP-Quelladresse = coalesce(Source_network_address, Quellnetzwerkadresse) | stats count earliest(_time) AS earliest latest(_time) AS latest values(Benutzerkonto) AS Benutzerkonto values(Meldung) AS Meldung values(IP-Quelladresse) AS IP-Quelladresse BY ComputerName but it depends on what are the requisites of yoru search, in other words: what do you want to find? In addition, if possible don't use "-" or spaces in your field names, use "_" because Splunk translate it as the subtraction operator. Ciao. Giuseppe ... View more

Re: Deployment-Server Linux Sererclass Monitoring ...

by in Splunk Enterprise
‎09-22-2022 04:22 AM
‎09-22-2022 04:22 AM
Hi, thanks for your Reply! Everything worked, thank you! I have installed the Linux Unix add-on on the deployment server. Then I moved it from /opt/splunk/etc/apps to /opt/splunk/etc/deployment-apps. After that, I was able to deploy the app via the Splunk web interface.   Greetings! ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎11-28-2024 03:41 AM
Karma given to
View All