Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About JohnEGones
JohnEGones
Path Finder
Member since:
07-12-2023
2 weeks ago
Community Statistics
| Posts | 18 |
| Solutions | 1 |
| Karma Given | 7 |
| Karma Received | 1 |
| Member Since | 07-12-2023 |
Activity Feed
- Posted Re: cluster master and deployment server in the distributed Splunk environment cannot be logged in via the GUI on Deployment Architecture. 4 weeks ago
- Posted Re: How to enrich notable events in ES? on Splunk Enterprise Security. 10-11-2023 07:21 AM
- Posted Re: parsing _internal logs on Splunk Search. 10-03-2023 05:24 AM
- Posted parsing _internal logs on Splunk Search. 10-03-2023 04:58 AM
- Got Karma for Re: Conditional rename using multiple fields. 09-20-2023 08:04 AM
- Karma Re: Conditional rename using multiple fields for gcusello. 09-20-2023 08:03 AM
- Karma Re: Conditional rename using multiple fields for richgalloway. 09-20-2023 08:03 AM
- Karma Re: Conditional rename using multiple fields for ITWhisperer. 09-20-2023 08:03 AM
- Posted Re: Conditional rename using multiple fields on Splunk Search. 09-20-2023 08:02 AM
- Tagged Re: Conditional rename using multiple fields on Splunk Search. 09-20-2023 08:02 AM
- Tagged Re: Conditional rename using multiple fields on Splunk Search. 09-20-2023 08:02 AM
- Tagged Re: Conditional rename using multiple fields on Splunk Search. 09-20-2023 08:02 AM
- Posted Re: Conditional rename using multiple fields on Splunk Search. 09-20-2023 07:41 AM
- Tagged Re: Conditional rename using multiple fields on Splunk Search. 09-20-2023 07:41 AM
- Tagged Re: Conditional rename using multiple fields on Splunk Search. 09-20-2023 07:41 AM
- Posted How to rename a conditional field? on Splunk Search. 09-20-2023 05:56 AM
- Posted Re: Output only the first n characters of field value on Splunk Search. 07-25-2023 08:11 AM
- Posted How can I output only the first n characters of field value? on Splunk Search. 07-25-2023 08:02 AM
- Karma Re: Alert with multiple searches for ITWhisperer. 07-25-2023 07:54 AM
- Posted Re: Alert with multiple searches on Splunk Search. 07-21-2023 10:46 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
4 weeks ago
Hi, not answering a question since you didn't ask one, but it seems like you're asking if you can set-up a user if you cannot reach the GUI on either the CM or DS in a distributed cluster? If so, you might start here: https://community.splunk.com/t5/Security/How-to-create-a-user-from-the-command-line-and-require-password/m-p/410937 DOCS: https://docs.splunk.com/Documentation/Splunk/9.1.1/Security/ConfigureuserswiththeCLI
... View more
10-11-2023
07:21 AM
Have you consulted resources like these? Using threat intelligence in Splunk Enterprise Security Unified App for ES: Enrich and submit notable events - Splunk Intel Management (TruSTAR)
... View more
10-03-2023
05:24 AM
ITWhisperer, Yeah that doesn't work but now I realize its because there is a file path reference: source::X:\logs\[some IP]\log123.txt|host::[host]
... View more
10-03-2023
04:58 AM
Hi Fellow Splunkers, Have a hopefully quick question: Want to pull out the source and host from the Windows _internal splunk logs, but my rex (cribbed from a post on here) isn't working. index=_internal host IN (spfrd1, spfrd2) source="*\\Splunk\\var\\log\\splunk\\splunkd.log" component=DateParserVerbose
| rex "Context: source=(?P<sourcetypeissue>\w+)\Shost=(?P<sourcehost>\w+)"
| stats list(sourcetypeissue) as file_name list(sourcehost)
But I get no stats, my events look like this: 08-24-2022 07:50:20.383 -0400 WARN DateParserVerbose - Failed to parse timestamp in first MAX_TIMESTAMP_LOOKAHEAD (128) characters of event. Defaulting to timestamp of previous event (Sun Aug 24 07:49:58 2022). Context: source::WMI:WinEventLog:Security|host::SPFRD1|WMI:WinEventLog:Security|1
... View more
09-20-2023
08:02 AM
1 Karma
Rich, Ok, this is it. Thank you. LOL. Some of this is simple when you see/get it, but SPL's versatility sometimes makes simple things opaque/unobvious to me. @gcusello Hi Giuseppe, Thank you for your responses as well Yeah, it is the second one, but I guess I was unsure if it is better to say, do this as a lookup, based on the number of potential renames, or whether it is less effort to just define the conditions to trigger the rename based on the results from the stats output, since it isn't always the case that a specific interface value will populate. But coming back to original question, I have clarity on how to proceed given Rich's response.
... View more
09-20-2023
07:41 AM
Hi Rich (and Giuseppe), I appreciate the prompt response, I realized that I messed up what I was asking, so some clarification: <some search>
| stats count by Device_Name, Device_Interface, SomeField
| (here I want to rename the field *values* in Device_Interface that match the previous conditions, not rename the fieldname itself.)
So here I am renaming the below field value:
Device_Interface="xyz" ==> Device_Interface="x_y_z"
BEFORE rename (this is a sample line from the stats output):
DeviceName, xyz, someValue
AFTER rename:
DeviceName, x_y_z, someValue
... View more
09-20-2023
05:56 AM
Hi guys,
I need some help trying to rename a specific field on condition that the renamed field is associated with one or more separate fields.
Fields:
Device_Name
Device_Interface
SomeField
Pseudocode:
<some query>
| if(Device_Name="Value1" AND Device_Interface="Value2" AND SomeField>="NumberX") --> rename Value2 as "This String"
| if(Device_Name="Value1A" AND Device_Interface="Value2A" AND SomeField<"NumberY") --> rename Value2A as "This Other String"
... View more
Labels
- Labels:
-
stats
07-25-2023
08:11 AM
HI Giuseppe, Nope you got it. Like when it's quick and easy. Thanks.
... View more
07-25-2023
08:02 AM
HI people,
I want from a query to only print out the first n-characters of the field value. So:
index=someIndex sourcetype=someNetworkDevice
| stats count by someField
The output goes:
someField
this is a strong value 1
this is a string value 1a
this is a string value 2
some other string value 1
some other string value 1a
some other string value 2
this is yet another string value 1
this is yet another string value 1a
etc.
I want to pull out say the first 10 characters in each row:
this is a
this is a
this is a
some other
some other
some other
this is yet
this is yet
etc
... View more
07-21-2023
10:46 AM
Ok, so looking at the reference documentation, we are given: The differences between these commands are described in the following table: stats command eventstats command Events are transformed into a table of aggregated search results Aggregations are placed into a new field that is added to each of the events in your output You can only use the fields in your aggregated results in subsequent commands in the search You can use the fields in your events in subsequent commands in your search, because the events have not been transformed REF: https://docs.splunk.com/Documentation/SplunkCloud/9.0.2305/SearchReference/Eventstats So, basically, the eventstats command doesn't change any of the events themselves, it just adds the field to the events pulled in from the query, where as stats is direct calculation from the events. So all of the subsequent actions from stats will be based on the transformations done whereas the eventstats just added a new field with aggregate values? I'm finding that engaging with alot of this requires a new way of thinking, a so called Splunk and data analyst/engineering mindset that is constrained and molded by what is possible with SPL and Splunk Arch, especially when there are performance or resource constraints that might push an analyst or engineer to prefer or require a certain type of query over another.
... View more
07-21-2023
08:30 AM
@ITWhisperer Thanks. I have not used streamstats much before. I suppose there is not really a good way to generalize this; since simpler queries like this already assume your data is fairly well-parsed.
... View more
07-21-2023
07:40 AM
Hi people, I wonder whether it is possible to run a query that generates a set of n-sample of events for each sourcetype in an index? In some sense, if the log data has been ingested and conformed properly, this is perhaps not so problematic, you might build a datamodel or just query across the relevant CIM field (alias.) So lets get specific: index-someIndex sourcetype=someSourceType
| enumerate against some defined key value, say an eventtype
| enumerate all of the eventtypes and pull out any subeventtypes
| list the for 2-5 events for each subeventtype, else just list the 2-5 events for the the eventtype
| table _time, eventtype, subeventtype (NULL if blank), event
... View more
07-21-2023
05:49 AM
These sorts of replies are very useful (and I do understand that they take experience, attention and effort to craft), even, I suspect, for some people that are more competent than me at just coding queries. In my (limited) experience, there are a lot of sometimes subtle and nuanced considerations, to say nothing of just things you may not know, that can go into even simple queries, let alone ones that perform a series of transforms, calculations and joins, and which need to be relatively fast and efficient because they will tend to be run regularly. I'm happy I am taking this stuff rather more seriously, I'm learning a lot.
... View more
07-20-2023
04:47 AM
This was an interesting and valuable discussion. Thanks. I do genuinely appreciate volunteers and the willingness of people to give their time and experience/expertise to help, and if there is genuine interest in an exchange--versus simply trying to off-load doing work onto other people. I hope in all of my interactions here I am helped, can help, and can be taught. Cheers.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
2 weeks ago
|
