×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
bimatomsoc
Explorer
Member since: ‎03-15-2023
‎09-18-2024
Community Statistics
Posts 14
Solutions 0
Karma Given 5
Karma Received 0
Member Since ‎03-15-2023
Activity Feed
View All

Re: How to extract filename from inputlookup csv f...

by in Splunk Search
‎11-29-2023 09:22 PM
‎11-29-2023 09:22 PM
Thank you very much, Sir. Finally, I got the solution based on your suggestion. I put the filename column and value in the csv file. That is the easy way to get the lookupfilename in search.  ... View more

Re: How to extract filename from inputlookup csv f...

by in Splunk Search
‎11-29-2023 01:23 AM
‎11-29-2023 01:23 AM
Thanks for your response. It's really helpful and knowledgeable. Your rest query can get the lookupfilename as title. Actually, my original search query is - | inputlookup abc.csv | rename field1 as new_field | append [| inputlookup def.csv | rename field1 as new_field] | table new_field   When I put rest query that you provided, "rest" must be the first place in search. I do want to know how to combine my original query and rest query to get the new_field and lookupfilename. ... View more

How to extract filename from inputlookup csv file ...

by in Splunk Search
‎11-29-2023 12:26 AM
‎11-29-2023 12:26 AM
I want to get my inputlookup csv filename with the query. | inputlookup abc.csv | stats count by inputlookup_filename  ```<= the result I needed is "abc"``` Or | table inputlookup_filename ```<= the result I needed is "abc"``` ... View more
Labels

Re: Lookup search from another index

by in Splunk Search
‎09-17-2023 11:41 AM
‎09-17-2023 11:41 AM
Thank you for your quick response. Your query makes sense for me. But, it doesn't fully work. I think we should change the whole search. The function I used "coalesce" collects the first field value. If the dest value is not null, it only collects the dest, not collecting the rest of the values like src, src_ip. As far as I researched, I think I should use lookup and OUTPUT function to matches all the IPs(src, dest,..) with lookup index's IPs. ... View more

Lookup search from another index

by in Splunk Search
‎09-17-2023 09:01 AM
‎09-17-2023 09:01 AM
There are some values of IP addresses from `cim_Authentication_indexes`. This index is for look up. I want to make if the IP addresses from `cim_Authentication_indexes` are in the second lookup index. I tried making some query but it quite something wrong.  (`cim_Authentication_indexes`) tag=authentication NOT (action=success user=*$) | table dest, dst, Ip, source_ip, src_ip, src | eval IP_Addr = coalesce(dest, dst, Ip, source_ip, src_ip, src) | append [search index="tml_it-mandiant_ti" type=ipv4 | table value] | stats count by IP_Addr, value | where count >= 1 Please correct this and help me out. Thanks. ... View more
Labels

Re: Alternate command for collect

by in Splunk Cloud Platform
‎08-14-2023 03:40 AM
‎08-14-2023 03:40 AM
Yes, "threathunting" index is empty and created to collect search results.  No error in splunkd.log ... View more

Re: Alternate command for collect

by in Splunk Cloud Platform
‎08-14-2023 03:38 AM
‎08-14-2023 03:38 AM
Yes, it was found in _internal index. Also, this is a cluster environment. We have access to file system but there is no *_events.stash_new file under the /opt/splunk/var/spool/splunk/ directory. ... View more

Re: Alternate command for collect

by in Splunk Cloud Platform
‎08-13-2023 04:12 AM
‎08-13-2023 04:12 AM
Setting>Indexes>threathunting It's enabled, deployed in the Global sharing permissions app. It also has home path for db.   ... View more

Re: Alternate command for collect

by in Splunk Cloud Platform
‎08-13-2023 03:36 AM
‎08-13-2023 03:36 AM
Successfully wrote file to '/opt/splunk/var/spool/splunk/b90a7184a4568807_events.stash_new'. ... View more

Re: Alternate command for collect

by in Splunk Cloud Platform
‎08-13-2023 03:22 AM
‎08-13-2023 03:22 AM
Yes, the original command without |collect is working fine and gets results. index="main" |table host index tag |head 10 Till this command, it shows the results with table. When I put the collect command, the search run has no error, still showing the head 10 results. |collect index="threathunting" But, the results are not collected in the "threathunting" index. I already created a empty "threathunting" index, get permission and accessible index. So, the head 10 results should be collected in "threathunting" index. Yet, it can't. ... View more

Re: Alternate command for collect

by in Splunk Cloud Platform
‎08-13-2023 03:02 AM
‎08-13-2023 03:02 AM
Yes, the original command without |collect is working fine and gets results. index="main" |table host index tag Till this command, it shows results as table. ... View more

Re: Alternate command for collect

by in Splunk Cloud Platform
‎08-13-2023 02:49 AM
‎08-13-2023 02:49 AM
We have a new index named "threathunting" and having permission to collect the results. We use splunk admin account. How do we check that we have permission to run collect command? ... View more

Re: Alternate command for collect

by in Splunk Cloud Platform
‎08-13-2023 01:41 AM
‎08-13-2023 01:41 AM
We cannot use "collect" command Please see my example search: index="main" |table host index tag |collect index="custom_index" It didn't work. No results were collected in "custom_index" ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎09-18-2024 04:46 AM
Karma given to