Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About m92
m92
Loves-to-Learn Lots
Member since:
05-06-2024
05-16-2024
Community Statistics
| Posts | 7 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 0 |
| Member Since | 05-06-2024 |
Activity Feed
- Posted Re: scheduled task on Reporting. 05-10-2024 02:05 AM
- Posted scheduled task on Reporting. 05-10-2024 01:48 AM
- Posted Re: Correlation Help Log on Getting Data In. 05-07-2024 06:45 AM
- Posted Re: Correlation Help Log on Getting Data In. 05-07-2024 04:53 AM
- Posted Re: Correlation Help Log on Getting Data In. 05-06-2024 06:00 AM
- Posted Re: Correlation Help Log on Getting Data In. 05-06-2024 04:48 AM
- Posted Correlation Help Log on Getting Data In. 05-06-2024 03:15 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 |
05-10-2024
02:05 AM
I want a scheduled task to run the query and save it twice a day, every day.
... View more
05-10-2024
01:48 AM
Hello Splunkers, I'd like to schedule a query twice a day. For example, one at 12:00 PM and the other at 7:00 PM, and then receive a report of each query. This would save me from having to run the query each time manually. Is it possible, and if so, how can I do it? The query in question is: (index="index1" Users=* IP=*) OR (index="index2" tag=1) | where NOT match(Users, "^AAA-[0-9]{5}\$") | where NOT match(Users, "^AAA[A-Z0-9]{10}\$") | eval ip=coalesce(IP, srcip) | stats dc(index) AS index_count values(Users) AS Users values(destip) AS destip values(service) AS service earliest(_time) AS earliest latest(_time) AS latest BY ip | where index_count>1 | eval earliest=strftime(earliest,"%Y-%m-%d %H:%M:%S"), latest=strftime(latest,"%Y-%m-%d %H:%M:%S") | table Users, ip, dest_ip, service, earliest, latest Thanks in advance!
... View more
Labels
- Labels:
-
scheduled search
05-07-2024
06:45 AM
I tried the command you gave me, but nothing is displayed when adding _time in the BY. Additionally, I added other data, but I would like to display one user per line rather than grouping multiple users together because they share the same IP address. For instance, on a certain IP address, multiple services were used, but I don't know which service was used. So, if we display one user per line, I think it will be unnecessary to use earliest and latest and just display the correct _time, right?
(index="index1" Users =* IP=*) OR (index="index2" tag=1 )
| where NOT match(Users, "^AAA-[0-9]{5}\$")
| eval IP=if(match(IP, "^::ffff:"), replace(IP, "^::ffff:(\d+\.\d+\.\d+\.\d+)$", "\1"), IP)
| eval ip=coalesce(IP,srcip)
| stats
dc(index) AS index_count
values(Users) AS Users
values(destip) AS destip
values(service) AS service
earliest(_time) AS earliest
latest(_time) AS latest
BY ip
| where index_count>1
| eval
earliest=strftime(earliest,"%Y-%m-%d %H:%M:%S"),
latest=strftime(latest,"%Y-%m-%d %H:%M:%S")
| table Users, ip, dest_ip, service, earliest, latest
... View more
05-06-2024
06:00 AM
It only displays users with their IP addresses, but the problem is that I still have a lot more lines than with this command:
index="index2" tag=1 | table srcip, _time
(8000 lines versus 1000) So, I think either it's not filtering enough or it's adding users who aren't supposed to be there. How can I handle this?
... View more
05-06-2024
04:48 AM
I have results, but the problem is that it displays users who don't have an IP address (so it shows users from index1 even if no match was found in index2). What I would like is for it to fetch and display only users if the IP addresses match correctly at the right time. Furthermore, I always have more lines (3000 versus 1000).
... View more
05-06-2024
03:15 AM
Hello Splunkers, I'm new to Splunk and I'm stuck; I'm getting more data than I'm supposed to. Users are showing up when they shouldn't, and vice versa. The purpose of the query is to determine which users are accessing the bastion with the tag=1 from the "index2" index. However, there's no information on the users. That's why I'm fetching user data from the "index1" index by performing a join on the IP address. The ultimate goal is to display the results in the following format: Users - IP - _time. It's important to note that IP addresses are dynamic.
When I run this command, it returns 1000 lines: `index="index2" tag=1 | table srcip, _time`
However, when I run this command, I get a lot more (11000), even though I'm supposed to have the same number since I'm just fetching users from the other index, but I'm not supposed to have any additional lines:
index="index1" | search Users =* AND IP=*
| fields Users, IP, _time
| where NOT match(Users, "^AAA-[0-9]{5}\$")
| eval IP=if(match(IP, "^::ffff:"), replace(IP, "^::ffff:(\d+\.\d+\.\d+\.\d+)$", "\1"), IP)
| eval ip=IP
| table Users, ip, _time
| join type=inner ip
[ search index="index2" tag=1 | fields srcip, _time | eval ip=srcip | table ip, _time]
| table Users, ip, _time
Does anyone have a solution?
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
05-16-2024
11:44 AM
|
