Activity Feed
- Karma Re: Using Time Range with Bin for isoutamo. 12-30-2024 09:46 AM
- Posted Using Time Range with Bin on Splunk Search. 12-30-2024 07:47 AM
- Posted Re: Detect sourcetype no reporting correct on Monitoring Splunk. 12-26-2024 12:05 PM
- Posted Re: Detect sourcetype no reporting correct on Monitoring Splunk. 12-26-2024 12:00 PM
- Karma Re: Detect sourcetype no reporting correct for marnall. 12-26-2024 11:57 AM
- Karma Re: Detect sourcetype no reporting correct for marnall. 12-26-2024 11:08 AM
- Posted Re: Detect sourcetype no reporting correct on Monitoring Splunk. 12-26-2024 11:07 AM
- Posted Detect sourcetype no reporting correct on Monitoring Splunk. 12-26-2024 10:14 AM
- Karma Re: How to write a search to convert bytes to KB, MB, and GB, and display them based on IP of top users? for yannK. 12-10-2024 11:12 AM
- Posted Re: regex address on Splunk Search. 12-06-2024 09:16 AM
- Karma Re: regex address for gcusello. 12-06-2024 09:15 AM
- Posted Re: regex address on Splunk Search. 12-06-2024 08:10 AM
- Posted Re: regex address on Splunk Search. 12-06-2024 07:47 AM
- Karma Re: regex address for richgalloway. 12-06-2024 07:47 AM
- Karma Re: regex address for gcusello. 12-06-2024 07:47 AM
- Posted Re: regex address on Splunk Search. 12-06-2024 07:46 AM
- Karma Re: regex address for gcusello. 12-06-2024 07:44 AM
- Karma Re: regex address for dural_yyz. 12-06-2024 07:44 AM
- Posted Re: regex address on Splunk Search. 12-06-2024 07:38 AM
- Posted regex address on Splunk Search. 12-06-2024 05:53 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
12-30-2024
07:47 AM
Splunkers I'm trying to detect when a user fails GT 5 times in time range of one hour for last 24h, and i have the splq below, but i would like to have an opinion from community if any other option is to use splq logic to do the same?
SPLQ Used
index=VPN_Something
| bin _time span=24h
| stats list(status) as Attempts, count(eval(match(status,"failure"))) as Failed, count(eval(match(status,"success"))) as Success by _time user
| eval "Time Range"= strftime(_time,"%Y-%m-%d %H:%M")
| eval "Time Range"= 'Time Range'.strftime(_time+3600,"- %H:%M")
| where Failed > 5
... View more
Labels
- Labels:
-
stats
12-26-2024
12:05 PM
@marnall thanks for the suggestion it worked ! | metadata type=sourcetypes | search sourcetype=something* | eval "LastSeen"=now()-lastTime | rename lastTime as "LastEvent" | fieldformat "LastEvent"=strftime(LastEvent, "%c") | eval DaysBehind=round((LastSeen/86400)) | table sourcetype LastEvent DaysBehind
... View more
12-26-2024
12:00 PM
Yeah good point let me try something around your suggestion. I'm not splunk admin so i dont know much of audit/admin techniques', any suggestion and advice is highly respected and appreciated in advance!
... View more
12-26-2024
10:14 AM
Splunkers i thought i had an search to detect and alert when a sourcetype don't sent logs, but i found out that i may have wrong algorithm | metadata type=sourcetypes | search sourcetype=something* | eval "LastSeen"=now()-recentTime | rename lastTime as "LastEvent" | fieldformat "LastEvent"=strftime(LastEvent, "%c") | eval DaysBehind=round((LastSeen/86400)) | table sourcetype LastEvent LastSeen recentTime DaysBehind
... View more
Labels
- Labels:
-
indexing performance
12-06-2024
08:10 AM
example from the raw logs: "address":"1234 Nothing 2C Avenue","city":"something","state":"RD" would like to have field name Address Address 1234 Nothing 2C Avenue City something state RD all that in one field so ignore the " , and : What i have index=something | rex field=_raw "address\"\:\"(?<address>.*?)\"\,\" which shows field name: address 1234 Nothing 2C Avenue","city":"something","state":"RD"
... View more
12-06-2024
07:47 AM
all in a single field so i can used later to dc (distinguish count)
... View more
12-06-2024
07:46 AM
correct it comes in json and i dont have control of it, but im trying to have is address city and state to be all in the field and ignore coma quotes and :
... View more
12-06-2024
07:38 AM
thanks but i think i wasn't clear what im trying to do is that all that to be in one field called (?<address>) not separated with city and state
... View more
12-06-2024
05:53 AM
im trying to capture address, city and state that are in one line but they have ", : and , i would like to excluede (Quotes Coma and Colon) see test example below 12345 noth test Avenue","city":"test","state":"test",
... View more
Labels
- Labels:
-
regex
11-08-2024
07:07 AM
its a good idea, but in my case i don't know what domains they will be in the _raw, so i cant predict the list. Some events have one domain and it captured but the next event has 5, next will have 12 and each event has different domains on the raw.
... View more
11-08-2024
05:49 AM
I have an SPLQ that im trying to collect all domains from a raw logs, but my regex is capturing only one domain. in a single event, some events have one url some of them have 20 and more, how do i capture all domains, please advice? SPLQ .............. | rex field=_raw "(?<domain>\w+\.\w+)\/" | rex field=MessageURLs "\b(?<domain2>(?:http?://|www\.)(?:[0-9a-z-]+\.)+[a-z]{2,63})/?" | fillnull value=n/a | stats count by domain domain2 MessageURLs _raw
... View more
- Tags:
- regex
Labels
- Labels:
-
using Enterprise Security
10-23-2024
05:14 AM
I'm using cmd |iplocation src, and the results produce results for the City. Next i want to compare each City and report when results is different. Example when result for a City is Miami and next hour or so in the same field for the City is Boston.
... View more
- Tags:
- match
