| loadjob savedsearch="userid:search:hostslists" | lookup lookupname Hostname as host OUTPUTNEW Hostname,IP | eval Host=upper(host)    | append         [| loadjob savedsearch="userid:search:hostslists"          | lookup lookupname IP as host OUTPUTNEW IP,Hostname          | eval Host=upper(host)]    | append         [| loadjob savedsearch="userid:search:hostslists"          | lookup lookupname AltName as host OUTPUTNEW AltName,IP,Hostname          | where AltName != Hostname          | eval Host=upper(host)] | eval starttime=relative_time(now(),"-10d@d"),endtime=relative_time(now(),"-1d@d") | convert ctime(latest),ctime(starttime),ctime(endtime) | where latest<=endtime AND latest>=starttime | rename latest as "Last event date", Host as "Host referred in Splunk" | eval Hostname=if('Host referred in Splunk'!='IP','Host referred in Splunk',Hostname) | stats count by Hostname,IP,"Host referred in Splunk","Last event date" | fields - count | dedup IP,Hostname   In my query I am using the saved search "hostslists" (it contains list of hosts reporting to splunk along with latest event datetime) Lookup "lookupname" (contains fields: Hostname, AltName,IP) Aim: Have to get the list of devices present in lookup which is not reporting for more than 10 days Logic: some devices report with "Hostname", some devices reprot with "AltName", few devices report with "IP"        So, I am checking all the 3 fields and capturing "Last event date"     Now, I am facing challenge,  Hostname               IP              "Last event date" Host1                  ipaddr1               25th July                 (by referring IP) Host1                  ipaddr1               10th June                 (by referring Hostname)   I have 2 different "Last event date" for same "Hostname" & "IP".  In my report, it is not showing the latest date, but Here I have to consider latest date, I am stuck how to use such logic. Can anyone please help ? Thanks for your response ... View more

Hi, Can anyone please help me to frame the SPL script. I have to collect the list of devices reporting in splunk along with the indexname. For that I am using tstats command. |  tstats count where index=* by host,index  Now the problem is, for an index the device name is under fieldname 'asset'.  To get such list from this index, I can't able to use tstats command since it works only for metafields. I tried using stats command but it is taking very long time which is impacting the performance. Please suggest me how should I frame the query in efficient manner for this case. Thanks ... View more

Hi All, It would be great help if anyone help me figure out this. App is deployed in the UFs to receive such logs in splunk under the index wineventlog. I can see 2 different sourcetypes (xmlwineventlog, XmlWinEventLog) under the wineventlog index sourcetype : XmlWinEventLog (source : "XmlWinEventLog:Application", "XmlWinEventLog:Security", "XmlWinEventLog:System") sourcetype : xmlwineventlog (source : "WinEventLog:Microsoft-Windows-Sysmon/Operational", "WinEventLog:Microsoft-Windows-Windows Defender/Operational") Please help me where should I need to check these exact difference of two distinct case sensitive sourcetypes. Thanks   ... View more

Hi, I have a correlation search created in Enterprise security. Scheduled as below. Mode: guided Time range> Earliest: -24h, Latest: Now, Cron: 0 03 * * *, scheduling: realtime, schedule window: auto, priority: auto Trigger alert when greater than 0 Throttling > window duration: 0 Response action > To:mymailid, priority: normal, Include: Link to alert, link to result, trigger condition, attach csv, Trigger time In this case, mail is not getting delivered regularly. If I try executing the same SPL query in search, it showing more than 300 rows result ... View more

Hi all, My question is regarding ADMT log ingestion to splunk. ADMT logs are sent to a common blob storage account & storage account is created and it has logs in excel format. In splunk web >> Configuration done by adding the Azure storage account in the addon "Splunk Add-on for Microsoft Cloud Services" by mentioning account secret key. Added Input (Azure storage blob) by selecting the above added storage account. Now, I can able to see the log in splunk, but the format seems wrong.   Attaching the sample event here. Can you advice what needs to be done to get the logs in correct format.  Thanks   ... View more

Hi all, I need your help in validating my query. Please help.. in indexA , fields are: user, login (user=firstname, login=login_id) in indexB , fields are: userName, city (city: location of the employee, userName:firstname comma lastname) I have userName in indexA but it was not extracted under any field name. So I am extracting this field and based on that userName combination, I need to get location of that employee. I am trying with the below query, but it is not giving location detail. Location is emplty for all rows (index=indexA sourcetype="A" user=*) OR (index=indexB sourcetype="B" userName=*) | rex field=_raw "user=(?<userName>[^.]*)\s+cat" | fields userName city login | stats count as events values(city) as city by userName login eg:user=aaa, login=aabb city=xyz, userName=aaa, bbb with my query I have to get result as userName login events city aaa, bbb aabb 1 xyz But Iam getting empty in city. please help.. Thanks ... View more