Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About marshalll3302
marshalll3302
Explorer
Member since:
07-19-2023
06-13-2024
Community Statistics
| Posts | 8 |
| Solutions | 0 |
| Karma Given | 2 |
| Karma Received | 0 |
| Member Since | 07-19-2023 |
Activity Feed
- Posted Only ouptput results that exceed upper threshold and not below lower threshold (DensityFunction) on All Apps and Add-ons. 05-24-2024 11:26 AM
- Tagged Only ouptput results that exceed upper threshold and not below lower threshold (DensityFunction) on All Apps and Add-ons. 05-24-2024 11:26 AM
- Tagged Only ouptput results that exceed upper threshold and not below lower threshold (DensityFunction) on All Apps and Add-ons. 05-24-2024 11:26 AM
- Posted Re: Eval results from two time ranges on Splunk Search. 02-12-2024 11:46 AM
- Posted Re: Eval results from two time ranges on Splunk Search. 02-12-2024 11:31 AM
- Posted Eval results from two time ranges on Splunk Search. 02-09-2024 04:05 PM
- Posted Re: How to union two time ranges on Splunk Search. 09-25-2023 10:56 AM
- Karma Re: How to union two time ranges for yuanliu. 09-25-2023 10:56 AM
- Posted Re: How to union two time ranges on Splunk Search. 09-25-2023 08:51 AM
- Karma Re: How to union two time ranges for yuanliu. 09-25-2023 08:46 AM
- Posted Re: How to union two time ranges on Splunk Search. 09-25-2023 07:25 AM
- Posted How to union two time ranges on Splunk Search. 09-22-2023 01:54 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 |
05-24-2024
11:26 AM
I've created trained a Density Function using data but ONLY want it to output outliers that exceed the upper bound and not below the lower bound. How would I do this? My search:
index=my_index
| bin _time span=1d
| stats sum(numerical_feature) as daily_sum by department, _time
| apply my_model
Currently it is showing all outliers.
... View more
- Tags:
- DensityFunction
- mltk
Labels
- Labels:
-
search
02-12-2024
11:46 AM
Great solution - I like how it also takes out need for subsearch 🙂 Thank you!!
... View more
02-12-2024
11:31 AM
Great way to sanity check - didn't think of this til you mentioned it. Ty!!
... View more
02-09-2024
04:05 PM
Splunk sirs, I am trying to add a boolean column to my data called 'new_IP_detected' which will tell me whether an answer IP is new compared to answer IPs from a previous time range. Both searches are from the same index and sourcetype, and I only want to compare whether or not an answer IP from -24h to now is in the list of answer IPs from -30d to -24h. My search so far: index=[sample index] sourcetype=[sample sourcetype] earliest=-24h latest=now NOT [ search index=[sample index] sourcetype=[sample sourcetype] earliest=-30d latest=-24h | stats count by answer | table answer] | stats count by answer | table answer As of right now I am getting no results which I believe is expected (meaning there are no new IPs in the last 24 hrs). How would I add 'new_IP_detected' column over the last 30 days?
... View more
09-25-2023
08:51 AM
I tried the the following and all values for oldconnection field are coming up as 0, which I'm assuming is due to the if statement returning null for each event. index=<index1> src_ip IN (<srcvalues>) AND dest_ip!=<ipvalues> NOT dest_location IN ("<locvalues>") earliest=-24h latest=now()
| stats dc(if(_time < relative_time(now(), "-1h"), eval(dest_location. "-" .dest_ip), null())) as oldconnections
dc(eval(dest_location. "-" .dest_ip)) as allconnections
by src_ip
... View more
09-25-2023
07:25 AM
Thanks and noted. All your assumptions were correct except: the stats is also exactly the same except field name of the output My target output fields will look like this: Src_ip of systems of the first 23 hours (-24h to -1h) count distinct number of dest_location-dest_ip combinations (-24h to -1h) count distinct number of dest_location-dest_ip combinations in full last 24hrs (-24h to now()) I see the logic of your code and am trying to tweak it so that it will match my target output.
... View more
09-22-2023
01:54 PM
I'm trying to UNION two different tables containing info on foreign traffic - the first table is a log with time range earliest=-24h latest=-1h. The second are logs of those same systems for the full 24 hours (earliest=-24h latest=now()). My search: | union [ search index=<index1> src_ip IN (<srcvalues>) AND dest_ip!=<ipvalues> NOT dest_location IN ("<locvalues>") earliest=-24h latest=-1h | eval dest_loc_ip1=dest_location. "-" .dest_ip | stats DC(dest_loc_ip1) as oldconnections by src_ip] [ search index=<index1> src_ip IN (<srcvalues>) AND dest_ip!=<ipvalues> NOT dest_location IN ("<locvalues>") earliest=-24h latest=now() | eval dest_loc_ip2=dest_location. "-" .dest_ip | stats DC(dest_loc_ip2) as allconnections by src_ip] | fields src_ip oldconnections allconnections I am trying to compare the values of oldconnections vs allconnections for only the original systems (basically a left join), but for some reason, the allconnections shows all null values. I get a similar issue when trying to left join - the allconnections values are not consistent to the values when I run the search by itself. I can run the two searches separately with the expected result, so I'm guessing there's an error in my UNION syntax and ordering. Thanks for the help! -also open to other ways to solve this 🙂
... View more
