Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About srv007
srv007
Path Finder
Member since:
04-06-2023
08-15-2023
Community Statistics
| Posts | 22 |
| Solutions | 0 |
| Karma Given | 5 |
| Karma Received | 0 |
| Member Since | 04-06-2023 |
Activity Feed
- Posted Re: How to remove wild cards/suffix values from values of hostname? on Splunk Search. 08-14-2023 04:52 AM
- Karma Re: How to remove wild cards/suffix values from values of hostname? for ITWhisperer. 08-13-2023 02:16 PM
- Posted Re: How to remove wild cards/suffix values from values of hostname? on Splunk Search. 08-11-2023 03:09 AM
- Posted Re: Remove wild cards/suffix values from values of hostname on Splunk Search. 08-09-2023 11:11 AM
- Posted How to remove wild cards/suffix values from values of hostname? on Splunk Search. 08-09-2023 11:09 AM
- Posted Re: Duplicate values for each fields coming up where lookup is used on Dashboards & Visualizations. 06-20-2023 07:50 AM
- Posted Re: Duplicate values for each fields coming up where lookup is used on Dashboards & Visualizations. 06-20-2023 07:42 AM
- Posted Re: Duplicate values for each fields coming up where lookup is used on Dashboards & Visualizations. 06-20-2023 07:38 AM
- Karma Re: Duplicate values for each fields coming up where lookup is used for ITWhisperer. 06-20-2023 07:38 AM
- Posted Re: Duplicate values for each fields coming up where lookup is used on Dashboards & Visualizations. 06-20-2023 07:23 AM
- Posted Re: Duplicate values for each fields coming up where lookup is used on Dashboards & Visualizations. 06-20-2023 06:50 AM
- Posted Re: Duplicate values for each fields coming up where lookup is used on Dashboards & Visualizations. 06-20-2023 06:43 AM
- Posted Re: Duplicate values for each fields coming up where lookup is used on Dashboards & Visualizations. 06-20-2023 05:47 AM
- Posted Re: Duplicate values for each fields coming up where lookup is used on Dashboards & Visualizations. 06-20-2023 05:16 AM
- Posted Re: Duplicate values for each fields coming up where lookup is used on Dashboards & Visualizations. 06-20-2023 05:08 AM
- Posted Re: Duplicate values for each fields coming up where lookup is used on Dashboards & Visualizations. 06-20-2023 04:09 AM
- Tagged Duplicate values for each fields coming up where lookup is used? on Dashboards & Visualizations. 06-19-2023 12:43 PM
- Tagged Duplicate values for each fields coming up where lookup is used? on Dashboards & Visualizations. 06-19-2023 12:43 PM
- Posted Duplicate values for each fields coming up where lookup is used? on Dashboards & Visualizations. 06-19-2023 11:41 AM
- Posted Re: How can I convert Key value into field value data? on Splunk Search. 05-05-2023 05:06 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
08-14-2023
04:52 AM
This did help actually. few hosts have entries like ###gbl12344 - old### anyway to fetch only hostname for such cases?
... View more
08-11-2023
03:09 AM
Any guidance/help is appreciated
... View more
08-09-2023
11:11 AM
##Note - Also point to be noted that some hostname can be of 6 characters some can be 8 and like so extracting hostname as number of characters might not be suitable.
... View more
08-09-2023
11:09 AM
below is my search query index="inm_inventory"
|table inventory_date, region, vm_name, version
|dedup vm_name | search vm_name="*old*" OR vm_name="*restore*" output as below : The challenge here is each vm_name has different suffix added and its not standard since any user adds any comment to to it so it could be anything. how do i perform look for the vm names since lookup file only has hostnames and no suffix. i have a lookup file named itso.csv which has details like hostname(all in lower case), tier, owner, country. I want to use lookup in my main search for the fields tier, owner, country end requirement is to do lookup for the vm_name in itso.csv file and add details like tier, countrycode, owner in the main search output.
... View more
- Tags:
- wildcard
Labels
- Labels:
-
eval
-
field extraction
-
lookup
-
regex
06-20-2023
07:50 AM
index=standard_tanium source="Prod-CSV" script=read.ps1" |rename field01 as user |rename field02 as login-count |rename CSV-Timestamp as Script_run |rex mode=sed field=user "/[&?].*//g" |table Script_run IDBC-Hostname user login-count |lookup read-login.csv user-id as user OUTPUTNEW user-id |lookup owner.csv hostname as IDBC-Hostname OUTPUTNEW tier sownername servicename |search user-id=* |sort -login-count |stats values(*) as * by Script_run IDBC-Hostname user login-count |table Script_run IDBC-Hostname user login-count tier sownername servicename
... View more
06-20-2023
07:42 AM
Update -- i added | table and the fields to show and this as fixed the above mentioned too. Kudos!!
... View more
06-20-2023
07:38 AM
Thanks Mate, this did help. all repeated fields are gone, at the same time not affecting the hostname. so output is below : The only concern is can we remove user-id from getting displayed as same info already being shown under user. And if we can re-allign the order of the fields. example -- Script_run IDBC-Hostname user login-count tier sownername servicename
... View more
06-20-2023
07:23 AM
owner.csv has only one entry for each hostname? >> correct So each event has one value for IDBC-Hostname >> can have more, hostname can re-appear but against different user and its run daily, so can have more than one entry for same hostname.
... View more
06-20-2023
06:50 AM
index=standard_tanium source="Prod-CSV" script=read.ps1" |rename field01 as user |rename field02 as login-count |rename CSV-Timestamp as Script_run |rex mode=sed field=user "/[&?].*//g" |table Script_run IDBC-Hostname user login-count |lookup read-login.csv user-id as user OUTPUTNEW user-id |lookup owner.csv hostname as IDBC-Hostname OUTPUTNEW tier sownername servicename |search user-id=* |sort -login-count |fields Script_run IDBC-Hostname user login-count tier sownername servicename When i add lookup for owner.csv then its creating duplicates for the lookup fields. owner.csv has tier,sownername servicename field values which i'm comparing and adding to my main search read-login.csv has user account info. read.ps1 has info about about all hostnames and login count. Using read-login.csv im fetching details for accounts mentioned in that csv only, and doing lookup with owner.csv i'm adding the extra fields to the search results.
... View more
06-20-2023
06:43 AM
index=standard_tanium source="Prod-CSV" script=read.ps1" |rename field01 as user |rename field02 as login-count |rename CSV-Timestamp as Script_run |rex mode=sed field=user "/[&?].*//g" |table Script_run IDBC-Hostname user login-count |lookup read-login.csv user-id as user OUTPUTNEW user-id |search user-id=* |sort -login-count |fields Script_run IDBC-Hostname user login-count tier sownername servicename This gives output as below-- Script_run IDBC-Hostname user login-count tier sownername servicename 2023/06/19 12:25 abc12345 11133121-990 4 2023/06/15 17:25 xzyz1112 33421111-990 2 2023/06/14 19:15 arsd1123 7877333-750 1 2023/06/12 12:25 abc12345 9911128-630 3
... View more
06-20-2023
05:47 AM
Below is the result : Script_run IDBC-Hostname user login-count 2023/06/19 12:25 abc12345 11133121-990 4 2023/06/15 17:25 xzyz1112 33421111-990 2 2023/06/14 19:15 arsd1123 7877333-750 1 2023/06/12 12:25 abc12345 9911128-630 3 Here it is expected to have repeated hostnames as the user id is varying and we need sum total of login-count so we shouldnt dedup hostnames. Now the problem of duplicate value happens for fields which we using for lookup like tier
... View more
06-20-2023
05:16 AM
still same, no help.
... View more
06-20-2023
05:08 AM
still same result, no changes
... View more
06-20-2023
04:09 AM
want to understand why the lookup fields are appearing repeated and how to fix it. I did try |mvexpand tier | dedup IDBC-Hostname but then that removes duplicate entries which shouldn't happen as it can be case same server repeated and we need data for it. This dedup affects login-count since dedup removes duplicate hostnames.
... View more
06-19-2023
11:41 AM
Below is the splunk query that i'm using.
index=standard_tanium source="Prod-CSV" script=read.ps1"
|rename field01 as user
|rename field02 as login-count
|rename CSV-Timestamp as Script_run
|rex mode=sed field=user "/[&?].*//g"
|table Script_run IDBC-Hostname user login-count
|lookup read-login.csv user-id as user OUTPUTNEW user-id
|lookup owner.csv hostname as IDBC-Hostname OUTPUTNEW tier sownername servicename
|search user-id=*
|sort - login-count
| fields Script_run IDBC-Hostname user login-count tier sownername servicename
the above query is working fine, just duplicate values coming for tier sownername servicename Output : Script_run IDBC-Hostname user login-count tier sownername servicename 2023/06/19 12:25 abc12345 11133121-990 4 2 Bob ADF-Co
2 Bob ADF-Co
2 Bob ADF-Co
2 Bob ADF-Co
2023/06/15 17:25 xzyz1112 33421111-990 2 1 Sam AXF-Co
1 Sam AXF-Co
1 Sam AXF-Co
1 Sam AXF-Co
... View more
Labels
- Labels:
-
dashboard
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
08-15-2023
04:13 AM
|
