cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
aoverfield
Explorer
Member since: ‎03-03-2023
‎03-04-2023
Community Statistics
Posts 5
Solutions 1
Karma Given 0
Karma Received 1
Member Since ‎03-03-2023
Topics I've Started
No posts to display.
View All

Re: Create a table combining common field from ind...

by in Splunk Search
‎03-03-2023 01:10 PM
‎03-03-2023 01:10 PM
You seem to be close. You have to add the fields from the lookup you want to be added to the search results. You are also trying to search on "distinguishedName" which is the field from the lookup, not the field that will be in your results from the indexed data. Try: index=wineventlog (EventCode=4720 OR EventCode=4726 OR EventCode=4738 OR EventCode=4724) | lookup adusers distinguishedName AS SubjectUserName OUTPUT title as title | search title="*help desk*" OR title="*Computer Technician*" OR title="*IT specialist*" OR title="*support*" | search SubjectUserName="*OU=Information Technology*" | table SubjectUserName user EventCode _time title Also, since "SubjectUserName" is in the initial indexed data, you can add that to the beginning of the search to filter the initial dataset down even further. I noticed a dedup by user in your original post, so we can also write a stats command which will essentially combine the dedup and the table command to give you clean results. Updated: index=wineventlog (EventCode=4720 OR EventCode=4726 OR EventCode=4738 OR EventCode=4724) SubjectUserName="*OU=Information Technology*" | lookup adusers distinguishedName AS SubjectUserName OUTPUT title as title | search title="*help desk*" OR title="*Computer Technician*" OR title="*IT specialist*" OR title="*support*" | stats values(SubjectUserName) as SubjectUserName, values(EventCode) as event_codes, values(title) as title, earliest(_time) as first_time, latest(_time) as last_time, count by user    ... View more

Re: How do I compare two vector fields from my log...

by in Splunk Search
‎03-03-2023 12:09 PM
‎03-03-2023 12:09 PM
I'm not sure what you want to do with the data or what the rest of the data/search looks like. You can see these new fields by using the table command (add the below to the end of your search). You can also use other transforming commands if you want to create a visualization with the data. https://docs.splunk.com/Splexicon:Transformingcommand  | table start, end, x1, x2, y1, y2, result   ... View more

Re: How do I compare two vector fields from my log...

by in Splunk Search
‎03-03-2023 11:31 AM
‎03-03-2023 11:31 AM
The | makeresults were a test. Only add in the regex portion to your search. <Initial Portion of your search> | rex field=start "\"point\"\s\:\s\[(?<x1>\d+\.\d+)\,(?<x2>\d+\.\d+)\]" | rex field=end "\"point\"\s\:\s\[(?<y1>\d+\.\d+)\,(?<y2>\d+\.\d+)\]" | eval result = sqrt( pow((x2 - x1),2) + pow((y2 - y1),2) ) ... View more

Re: How do I compare two vector fields from my log...

by in Splunk Search
‎03-03-2023 10:00 AM
‎03-03-2023 10:00 AM
You can regex the fields out. | makeresults | eval start="{ \"time_s\" : 1234 , \"point\" : [2.5,5.5]}", end="{ \"time_s\" : 2344 , \"point\" : [9.5,8.5]}" | rex field=start "\"point\"\s\:\s\[(?<x1>\d+\.\d+)\,(?<x2>\d+\.\d+)\]" | rex field=end "\"point\"\s\:\s\[(?<y1>\d+\.\d+)\,(?<y2>\d+\.\d+)\]" | eval result = sqrt( pow((x2 - x1),2) + pow((y2 - y1),2) ) ... View more

Re: Splunk search query for identifing the list of...

by in Splunk Search
‎03-03-2023 08:49 AM
1 Karma
‎03-03-2023 08:49 AM
1 Karma
Do you have any start to a search you could post? In general, you could do something like: "index=<db_index> users=* NOT [| inputlookup Authorized_list.csv | fields users] | stats count by users" This is assuming "users" is a field in both your indexed data and a field in the CSV.  ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎03-04-2023 02:42 PM
Karma from
View All