cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
charlottelimcl
Engager
Member since: ‎10-03-2022
‎10-05-2022
Community Statistics
Posts 6
Solutions 0
Karma Given 1
Karma Received 0
Member Since ‎10-03-2022
Activity Feed
View All

Re: How to feed results of a query into another qu...

by in Splunk Search
‎10-05-2022 12:55 AM
‎10-05-2022 12:55 AM
Regarding the 0 results, this is my current query: index= useractivitylogs [search index=wineventlog EventCode=4725 earliest=-1h latest=now | eval timestamp=strftime(_time, "%Y-%m-%dT%H:%M"%S") | stats count as count by username | where count=1 fields username ]  Without inputting any table or running any stats on it, it shows up as 0. Even if i were to change my index to the same as the subsearch index, it is still 0 results.  Currently, the subsearch results will list a column of many different usernames. I am trying to troubleshoot as to why running the subsearch results in 0. Will appreciate your help. Thank you ... View more

Re: How to feed results of a query into another qu...

by in Splunk Search
‎10-04-2022 02:56 AM
‎10-04-2022 02:56 AM
i tried this but it appears that there are 0 results. Also another thing i noticed is when i used the time modifiers, i.e. (earliest=-1h latest=now), it is relative to the time now, instead of relative to the datetime range i chose at the side bar. Is there a way to change the time modifiers to be relative to the datetime selected at the sidebar?   Thank you ... View more

Re: How to feed results of a query into another qu...

by in Splunk Search
‎10-03-2022 05:59 AM
‎10-03-2022 05:59 AM
Thank you, i will try this ... View more

How to feed results of a query into another query ...

by in Splunk Search
‎10-03-2022 03:00 AM
‎10-03-2022 03:00 AM
Hi all, I am trying to feed results of a query into another of a different time and index and I'm facing issues with this. Context: I want to look for any user activity across my servers on d+1 for list of user accounts which shows up as disabled on the active directory (windows event code=4725). From the search query below, I want to parse the list of usernames where count=1 and look for any user activity on d+1 onwards after earliest(_time) is recorded.  index=useractivitylogs [search index=wineventlog EventCode=4725 | eval timestamp=strftime(_time, "%Y-%m-%dT%H:%M"%S") | stats count as count, earliest(timestamp) by username | where count=1] Example: Eventcode 4725 is recorded for these 2 users based on my inner search: Timestamp | User: 5 September 2022 | Anna 10 September 2022 | Betty  Then, I want to feed these results to identify any user activity found on any servers on d+1 after the recorded Timestamp.   Thank you.    ... View more
Labels

Re: How do I dedup duplicate values including that...

by in Splunk Search
‎10-03-2022 02:50 AM
‎10-03-2022 02:50 AM
Thanks for the reply. I wanted to have the timestamp of the occurrence as well. I went to do more research and apparently I can add this: | stats count as count, earliest(_time) by username | where count=1   ... View more

How do I dedup duplicate values including that val...

by in Splunk Search
‎10-03-2022 02:14 AM
‎10-03-2022 02:14 AM
Hi everyone, I am new to splunk. I am looking at windows event logs for the EventCode=4725 for all usernames within a week's timeframe. What I want is to remove username results if there are more than 1 count for this eventcode including that username, and then list in a table to show the timestamp and username when the eventcode occurred. Example: Usernames with EventCode=4725 recorded within 1 week:   Day 1 10pm : anna Day 1 11pm : betty Day 3 10pm : anna Day 3 1pm :  charlie Day 7 2pm : zach   Final result I want is: Day 1 11pm : betty Day 3 1pm :  charlie Day 7 2pm : zach From the above we have 'anna' removed completely from as her event showed up more than once.    This is my original query: index=wineventlog EventCode=4725 | fields * | eval timestamp=strftime(_time, "%Y-%m-%dT%H:%M"%S") | stats count by username | where username = 1 I then realised the problem with using stats count by,  because I wouldnt be able to show the timestamp for the results result this is in statistics.  I have thought of using dedup to remove duplicate values, but I have not found a way to remove duplicate values including that value itself. Please help. Thank you ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎10-05-2022 02:47 AM
Karma given to
View All