Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About ajmach343
ajmach343
Explorer
Member since:
10-10-2024
2 weeks ago
Community Statistics
| Posts | 11 |
| Solutions | 1 |
| Karma Given | 2 |
| Karma Received | 1 |
| Member Since | 10-10-2024 |
Activity Feed
- Got Karma for Re: How to build searches based on Incident Review. 2 weeks ago
- Posted Re: How to build searches based on Incident Review on Splunk Search. 2 weeks ago
- Posted How to build searches based on Incident Review on Splunk Search. 2 weeks ago
- Karma Re: How to use "case" command with count? for livehybrid. 04-29-2025 05:45 AM
- Posted Re: How to use "case" command with count? on Splunk Search. 04-29-2025 05:22 AM
- Posted How to use "case" command with count? on Splunk Search. 04-29-2025 04:42 AM
- Posted Re: How to use IF and ROUND together on Splunk Search. 03-04-2025 10:07 AM
- Karma Re: How to use IF and ROUND together for ITWhisperer. 03-04-2025 10:07 AM
- Posted How to use IF and ROUND together on Splunk Search. 03-04-2025 09:54 AM
- Posted Re: Help on Correlation search scheduling on Security. 11-25-2024 10:30 AM
- Posted Help on Correlation search scheduling on Security. 11-25-2024 10:04 AM
- Tagged Help on Correlation search scheduling on Security. 11-25-2024 10:04 AM
- Posted Re: how to search for admins who make changes to their own accounts? on Splunk Search. 11-05-2024 07:37 AM
- Posted Re: how to search for admins who make changes to their own accounts? on Splunk Search. 11-05-2024 07:32 AM
- Posted how to search for admins who make changes to their own accounts? on Splunk Search. 11-05-2024 07:19 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
2 weeks ago
1 Karma
ending up using `notable` to get the proper results i was looking for. thank you though
... View more
2 weeks ago
Hello! SOC analyst here. I am looking to build a dashboard that gives data and statistics when an alert in Incident review is given a specific disposition such as "non compliant activity". I started out with | inputlookup incident_review_lookup | eval view_key=_key | eval Time=strftime(time, "%Y-%m-%d @ %H:%M" | fields Time, rule_name, status, owner, urgency, comment, user, disposition Unfortunately this search pulls the entire lookup going back 3 years even though the search says 7 days. i tried adding "| where _time> relative_time(now(),""$global_time.earliest$" and got 0 results Am I even in the right ball park for what I want to acomplish? Thank you! Adam
... View more
04-29-2025
05:22 AM
Thanks for that bit! this is the rest of what I have come up with: index=index sourcetype=sourcetype log_type=type host=host | stats count | eval Logs=case(count>0, "Green", count=0, "Red") | eval pulse="pulse" | fillnull logs | fillnull value=green Logs | table Logs pulse This will be in a "studio dashboard" |
... View more
04-29-2025
04:42 AM
I am looking to make a "pulse" dashboard for a host on my network, it will pulse green up when up and red when down. so far I have: index=index sourcetype=sourcetype log_type=type hostname=host | eval logs=case(count>0, "1", count=0, "2") | eval Status=case(Logs=1, "Green", Logs=2, "Red") I believe there is an error in the case line with the count. I have to be missing something. any insight would be helpful!
... View more
03-04-2025
09:54 AM
Hello, I am trying to write a search query for responding byte sizes that is a catch all. Currently I have: index=index 8.8.8.8 | stats sum(resp_bytes) as resp_bytes | eval resp_bytes=if(resp_bytes=0, "0B",if(resp_bytes<1000000,resp_bytes/1024 . "KB",if(resp_bytes>1000000,resp_bytes/1024/1024 . "MB", null))) I have tested this and it works, but now i am trying to add in a "round" to the 2nd decimal spot. and Im not sure where it would go.
... View more
11-25-2024
10:30 AM
I have about 800 searches. some that run take more than a minute. so in the messages it states: status: skipped, reason: "The maximum number of concurrent auto-summarization searches on this instance has been reached. " no warnings or errors. all messages have "INFO" right after date/time cpu usage is at about 12% and memory usage is at 28%
... View more
11-25-2024
10:04 AM
Hello, I am currently building correlation searches in ES and I am running into a "searches delayed" issue. some of my searches run every hour, most are every 2 hours, and some every 3, 12 hours. My time range looks like: Earliest Time: -2h Latest Time: now cron schedule: 1 */2 * * * for each new search I add +1 to the minute tab of the cron schedule up to 59 and then start over. so on the next search the schedule would be 2 */2 * * * and so on... is there a more efficient way I should be scheduling searches? Thank you.
... View more
- Tags:
- time
11-05-2024
07:37 AM
was able to figure it out!
needed to just use an IF statement.
| eval testuser=if(admin=target,1,0)
| where testuser=1
... View more
11-05-2024
07:32 AM
apologies, this will be for windows event logs and Ivanti logs.
... View more
11-05-2024
07:19 AM
I am trying to make a search that will fire only when an admin makes a change to their own account. I want to know if a-johndoe gives multiple permissions to a-johndoe and NOT if a-johndoe gives permissions to a-janedoe. would i use an IF statement for this? Thank you
... View more
Labels
- Labels:
-
fields
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
2 weeks ago
|
