Splunkers I'm trying to detect when a user fails GT 5 times in time range of one hour for last 24h, and i have the splq below, but i would like to have an opinion from community if any other option is to use splq logic to do the same? SPLQ Used index=VPN_Something | bin _time span=24h | stats list(status) as Attempts, count(eval(match(status,"failure"))) as Failed, count(eval(match(status,"success"))) as Success by _time user | eval "Time Range"= strftime(_time,"%Y-%m-%d %H:%M") | eval "Time Range"= 'Time Range'.strftime(_time+3600,"- %H:%M") | where Failed > 5   ... View more

Splunkers i thought i had an search to detect and alert when a sourcetype don't sent logs, but i found out that i may have wrong algorithm | metadata type=sourcetypes | search sourcetype=something* | eval "LastSeen"=now()-recentTime | rename lastTime as "LastEvent" | fieldformat "LastEvent"=strftime(LastEvent, "%c") | eval DaysBehind=round((LastSeen/86400)) | table sourcetype LastEvent LastSeen recentTime DaysBehind ... View more

im trying to capture address, city and state that are in one line but they have ", : and , i would like to excluede (Quotes Coma and Colon) see test example below 12345 noth test Avenue","city":"test","state":"test", ... View more

I have an SPLQ that im trying to collect all domains from a raw logs, but my regex is capturing only one domain. in a single event, some events have one url some of them have 20 and more, how do i capture all domains, please advice? SPLQ .............. | rex field=_raw "(?<domain>\w+\.\w+)\/" | rex field=MessageURLs "\b(?<domain2>(?:http?://|www\.)(?:[0-9a-z-]+\.)+[a-z]{2,63})/?" | fillnull value=n/a | stats count by domain domain2 MessageURLs _raw ... View more

I'm using cmd |iplocation src, and the results produce results for the City. Next i want to compare each City and report when results is different. Example when result for a City is Miami and next hour or so  in the same field for the City is Boston. ... View more