Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About akselsoeb
akselsoeb
Engager
Member since:
11-21-2023
04-09-2024
Community Statistics
| Posts | 6 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 0 |
| Member Since | 11-21-2023 |
Activity Feed
- Posted Re: "No Data" with Dashboard Studio on Dashboards & Visualizations. 04-09-2024 05:35 AM
- Posted Re: Track Changes to a field on Splunk Search. 12-28-2023 01:44 AM
- Posted Track Changes to a field on Splunk Search. 12-27-2023 07:35 AM
- Posted Re: Add a day counter to a list/table. on Splunk Search. 11-22-2023 03:28 AM
- Posted Re: Add a day counter to a list/table. on Splunk Search. 11-21-2023 11:37 PM
- Posted Add a day counter to a list/table. on Splunk Search. 11-21-2023 03:52 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 |
04-09-2024
05:35 AM
I have the same issue but these arguments are not set in the code? Same issue as OP is writing about. The table is shown if i select the classic dashboard, but not in studio..
... View more
12-27-2023
07:35 AM
Hello guys I need some help with making a table/dashboard that shows me changes to incidents in our Defender platform. The underlying issue that we see is that Defender sometimes, when an incident is handled by automation, de-escalate the severity of a particular incident. So in my index of incidents i want to track for each specific incident that is handled by automation to show me when the severity field changes. The table should look something link this. IncidentId Description Status Old_Severity New_Severity I don't know whether to use the streamstats or the dedup command. I've been fiddling abit with both but can't seem to get the right output. Anyways, hope you can help me out here. If theres something unclear about my question, let me know so i can clarify.
... View more
Labels
- Labels:
-
fields
11-22-2023
03:28 AM
I got some help from a co-worker which looks to solve my issue, here is the query that he provided me with. All the credit goes to him btw! 😄 | tstats summariesonly=true count from datamodel="Authentication" WHERE Authentication.action="failure" AND Authentication.user="*" AND Authentication.src="*" AND Authentication.user!=*$ by _time span=1d,Authentication.user | `drop_dm_object_name("Authentication")` | sort 0 - _time | eval date=strftime(_time,"%Y-%m-%d %H:%M:%S") | transaction user maxpause=24h mvlist=true | stats max(eventcount) as maxeventcount by user | where maxeventcount>5 | rename maxeventcount as DaysInRow Using the transaction command instead (which i need to study abit to understand) and also works around the issue with the sort command limitation of 10000 events. I will let him know about the approach you're suggesting and see what he thinks about that one.
... View more
11-21-2023
11:37 PM
Thanks for the reply @PickleRick It sounds rather complicated with my minimal knowledge, but i will give it a shot.
... View more
11-21-2023
03:52 AM
Hello I am trying to add some logic/formatting to my list of failed authentications. Heres my search query. | tstats summariesonly=true count from datamodel="Authentication" WHERE Authentication.action="failure" AND Authentication.user="*" AND Authentication.src="*" AND Authentication.user!=*$ by Authentication.user | `drop_dm_object_name("Authentication")` | sort - count | head 10 I want to make it so that it counts how many consecutive days a user has been on this list, is that possible?
... View more
Labels
- Labels:
-
count
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
04-09-2024
09:38 AM
|
