×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
mlm
Explorer
Member since: ‎11-29-2022
‎03-26-2024
Community Statistics
Posts 11
Solutions 0
Karma Given 1
Karma Received 1
Member Since ‎11-29-2022
Activity Feed
View All

Re: UF's are disappearing from ForwarderManagement

by in Deployment Architecture
‎03-26-2024 05:26 AM
‎03-26-2024 05:26 AM
Hi Gene, I am facing the similar issue. Do you mind sharing what you exactly did to resolve this? Thank you!  ... View more

Can anyone please help to create a DOS/DDOS alert ...

by in Alerting
‎02-03-2023 08:09 AM
1 Karma
‎02-03-2023 08:09 AM
1 Karma
Hello guys, Can anyone please help me to create a DOS/DDOS alert without using any application in splunk.  For example:  if source IPs sending thousands of TCP packets simultaneously within the 15-20 minutes or so.   I can't seem to find any docs that related to this. TIA ... View more

Re: Dedup command to remove events that have same ...

by in Splunk Search
‎12-15-2022 10:42 AM
‎12-15-2022 10:42 AM
Awesome!! This one actually works! Thank you so much sir! ... View more

Re: Dedup command to remove events that have same ...

by in Splunk Search
‎12-15-2022 10:33 AM
‎12-15-2022 10:33 AM
yeah, so basically, i want to monitor user account's event 4624 & 4625 by attempts, the problem is that there are bunch of duplicate events with same timestamp so i want to remove those and have a unique count ... View more

Re: Dedup command to remove events that have same ...

by in Splunk Search
‎12-15-2022 10:18 AM
‎12-15-2022 10:18 AM
hey @ITWhisperer thanks for the reply. unfortunately, it didn't work - it is giving me a "no result found" ... View more

Is there a dedup command to remove events that hav...

by in Splunk Search
‎12-15-2022 09:55 AM
‎12-15-2022 09:55 AM
hello guys, Is there any way that I could remove duplicate events that have same timestamp using this below search string:   index=* (EventCode=4624 OR EventCode=4625) | stats count(Keywords) as Attempts, count(eval(match(Keywords,"Audit Failure"))) as Failed, count(eval(match(Keywords,"Audit Success"))) as Success earliest(_time) as FirstAttempt latest(_time) as LatestAttempt by Account_Name | where Attempts>=5 AND Success>=1 AND Failed>=2 | eval FirstAttempt=strftime(FirstAttempt,"%x %X") | eval LatestAttempt=strftime(LatestAttempt,"%x %X")   The output: Account_Name Attempts Failed Success FirstAttempt LatestAttempt     ... View more
Labels

Re: Why is Datamodel=Authentication not getting ol...

by in Splunk Search
‎11-29-2022 10:46 AM
‎11-29-2022 10:46 AM
@PickleRick my post got deleted lol.   Could you tell me please what the possible change would be to capture those previous months data without tampering what I have now? Basically, I just want to fill the gaps for previous months for reporting purposes  ... View more

Why is Datamodel=Authentication not getting older ...

by in Splunk Search
‎11-29-2022 09:30 AM
‎11-29-2022 09:30 AM
Hey gents,  I am very new to splunk but does anyone have an idea why my search from datamodel=authentication not getting older events (say last month or two)? Below is my search string: | tstats prestats=true summariesonly=true allow_old_summaries=true count from datamodel=Authentication.Authentication where Authentication.app=win* Authentication.action=* by _time, Authentication.action span=10m | timechart minspan=10m useother=true count by Authentication.action Any suggestion would be so much appreciated!  Cheers  ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎03-26-2024 11:27 AM
Karma from
View All
Karma given to
View All