About secure

secure · ‎04-08-2025

i have a query where im generating a table with columns ostype ,osversion and status i need to exclude anything below version 12 for solaris and suse im using the below command and it works but this is not efficient way | search state="Installed" | search NOT( os_type="solaris" AND os_version <12) | search NOT( os_type="*suse*" AND os_version <12) i was trying to use the below command | search state="Installed" NOT (( os_type="solaris" AND os_version <12) OR ( os_type="*suse*" AND os_version <12)) and its not working any suggestions

secure · ‎04-02-2025

Hi i have a below table i have been trying to represent it in a heat map i can see the percentage value in the blocks but how can i get the severity values => very high,high medium represented in the blocks

secure · ‎03-20-2025

Hi everyone i have a dataset | makeresults | eval APP1="appdelta", hostname1= mvappend("syzhost.domain1","abchost.domain1","egfhost.domain1"),hostname2=mvappend("syzhost.domain1","abchost.domain1") | fields - _time i want the final output to be like below APP1 hostname1 hostnames2 appdelta syzhost.domain1 syzhost.domain1 appdelta abchost.domain1 abchost.domain1 appdelta egfhost.domain1 any suggestions

secure · ‎03-20-2025

@livehybrid tried your solution its not working i was able to resolve this using | makeresults | eval APP1="appdelta", hostname1= mvappend("syzhost.domain1","abchost.domain1","egfhost.domain1"),hostname2=mvappend("syzhost.domain1","abchost.domain1") | fields - _time | eval match=max(mvmap(hostname1, if(isnotnull(mvfind(hostname2, hostname1)), 1, hostname1))) | table APP1,hostname1,hostname2,match but now i have a additional issue for some hostnames is "no hosts" in that case also its just giving me 1 hostname | makeresults | eval APP1="appdelta", hostname1= mvappend("syzhost.domain1","abchost.domain1","egfhost.domain1"),hostname2=("") | fields - _time | eval match=max(mvmap(hostname1, if(isnotnull(mvfind(hostname2, hostname1)), 1, hostname1))) | table APP1,hostname1,hostname2,match which is not right

secure · ‎03-20-2025

This worked for me | makeresults | eval APP1="appdelta", hostname1= mvappend("syzhost.domain1","abchost.domain1","egfhost.domain1"),hostname2=mvappend("syzhost.domain1","abchost.domain1") | fields - _time | eval match=max(mvmap(hostname1, if(isnotnull(mvfind(hostname2, hostname1)), 1, hostname1))) | table APP1,hostname1,hostname2,match

secure · ‎03-20-2025

@ITWhisperer i tried the query not getting the output | makeresults | eval APP1="appdelta", hostname1= mvappend("syzhost.domain1","abchost.domain1","egfhost.domain1"),hostname2=mvappend("syzhost.domain1","abchost.domain1") | fields - _time | foreach hostname1 mode=multivalue [| eval diff=if(mvfind(hostnames2,<<ITEM>>)>=0,diff,mvappend(diff,<<ITEM>>))] | table APP1,hostname1,hostname2,diff what i need in the diff column is egfhost.domain1

secure · ‎03-20-2025

i have a list of hostnames being generated from left join for different application in multivalue table column APP1 hostname1 hostnames2 appdelta syzhost.domain1 abchost.domain1 egfhost.domain1 syzhost.domain1 abchost.domain1 what i need is a column with just egfhostdomain1 in a separete column just showing the diff of the list

secure · ‎03-18-2025

Hello Everyone, i have a dataset where I'm generating a column of number of servers per day. using a timechart command for last 2 weeks. earliest="-14d" latest=now() index=*...... | timechart span=1d dc(hostname) as servercount My requirement is to split the data in previous week and latest week and get the maximum count from the previous week and the latest week

secure · ‎03-14-2025

@livehybrid my overall goal was to learn other methods as well, rex was something i was able to figure out earlier

secure · ‎03-13-2025

@livehybrid thanks for the regex is it possible through case with like or match function just trying to explore all the possibilities

secure · ‎03-13-2025

Hi i have a list of servers coming from two different sources list A has server without domain names and list B has servers with and without domain names i was trying to compare the two list and get matching and not matching value problem is bot the list have same server but because of domain name it says not matching i understand if function is probably not the correct choice and when i use case with like it give me error any suggestions on this |makeresults | eval listA="xyz1apac" ,listB="xyz1apac.ent.bhpbilliton.net" | append [| makeresults | eval listA="xyz2" ,listB="xyz2.ent.bhpbilliton.net"] | append [| makeresults | eval listA="xyz3emea" ,listB="xyz3emea"] | append [| makeresults | eval listA="xyz4abc" ,listB="xyz4abc.ent.bhpbilliton.net"] | fields - _time | eval matching=if(listA != listB, "NOT OK", "OK") thanks

secure · ‎02-25-2025

i have a field coming after a calculation like a percentage field the request from user is to display in text format | makeresults | eval value = 36 | eval display = "the total percentage is $value$ %" | fields - value how can i display the total percentage is 36 %

secure · ‎02-19-2025

secure · ‎02-05-2025

Hi, Im trying to use an OR function in the below query trying to combine two indexes and then use stats function like an alternate for join command (index=serverdata sourcetype="server:stats" | rex "app_code=\"(?<application_code>[|w.\"]*)" ) OR (index="hostapp" source=hostDB_Table dataasset="*host_Data*") i have tried to use escape characters but its still not working thanks

secure · ‎02-05-2025

Hi i have a complex base search where iam comparing data from two indexes using left join and getting the results in a table query is working fine but its very slow so i have now decided to split it into two base searches and then combine them in the panel index=serverdata | rex "host_name=\"(?<server_host_name>[^\"]*)" | lookup servers_businessgroup_appcode.csv appcode output Business_Group as New_Business_Group |chart dc(host_name) over appcode by host_environment | eval TOTAL_servers=DEV+PAT+PROD | table appcode DEV PAT PROD TOTAL_servers 2nd Base search index=abc | rex field=data "\|(?<server_name>[^\.|]+)?\|(?<appcode>[^\|]+)?\|" | lookup servers_businessgroup_appcode.csv appcode output Business_Group as New_Business_Group i want to use this in third panel combine both the searches using a left join and get the list of servers details in both the index question how can i use two base searches in a single search

secure · ‎01-29-2025

@bowesmana here is the dropdown ALL value = * in the query so when selected all it comes as server_*_count

secure · ‎01-29-2025

Hi i have a field with name server_*_count. the * is coming from an input dropdown ALL where value is * how can i rename it to server_ALL_count |rename server_*_count as server_ALL_count its giving me an error cannot be renamed because of asterix (wildcard)

secure · ‎01-02-2025

i have a table with values and based on the input checklist selection i want to display the table rows i have a checkbox option enabled in the panel so that users can select the checkbox and accordingly table displays the value greater than 100 between 10 to 100 less than 10 How can i use the conditional operator in the input type as i try to add the value > or < in the input the search doesn't work in the panel

secure · ‎12-19-2024

Hi i have a below query where I'm calculating the total prod server count in first dataset and in second dataset I'm plottting a timechart for the server count. what i want to display is a line chart with total prod server showing as threshold and line and the below line chart as server count index=data sourcetype="server" | rex field=_raw "server=\"(?<EVENT_CODE>[^\"]*)" | search [ | inputlookup prodata_eventcode.csv | fields EVENT_Code ] | stats dc(host_name) as server_prod_count |rename | append [ | search index=appdata source=appdata_value | rex field=value "\|(?<Item>[^\|]+)?\|(?<EVENT_CODE>[^\|]+)|(?<PROD_Count>[^\|]+)?" | dedup DATE,EVENT_CODE | timechart span=1d sum(PROD_Count) as SERVER_COUNT] | table _time,local_PROD_COUNT,snow_prod_count | rename DYNA_PROD_COUNT as SERVER_COUNT,snow_prod_count as Threshold Question is how can i get the threshold value in all the rows so that i can plot threshold vs server count in the line graph Below is the snapshot

secure · ‎12-17-2024

Hi All i have a csv look up with below data Event_Code AUB01 AUB36 BUA12 i want to match it with a dataset which has field name Event_Code with several values i need to extract the count of the event code per day from the matching csv lookup my query index=abc |rex field=data "\|(?<data>[^\.|]+)?\|(?<Event_Code>[^\|]+)?\|" | lookup dataeventcode.csv Event_Code | timechart span=1d dc(Event_Code) however the result is showing all 100 count per day instaed of matching the event code from the CSV and then give the total count per day

Posts	20
Solutions	1
Karma Given	8
Karma Received	0
Member Since	‎12-17-2024

Online Status	Offline
Date Last Visited	‎06-25-2025 05:23 AM

Exclusion using NOT to exclude values

heatmap

reformatting output in table

need difference from multivalue table column

max values from two weeks using timechart

matching hostnames issue

display field value in a statement

compare data in two columns

paranthesis error in search query

multiple base search

Exclusion using NOT to exclude values

heatmap

reformatting output in table

Re: need difference from multivalue table column

Re: need difference from multivalue table column

Re: need difference from multivalue table column

need difference from multivalue table column

max values from two weeks using timechart

Re: matching hostnames issue

Re: matching hostnames issue

matching hostnames issue

display field value in a statement

compare data in two columns

paranthesis error in search query

multiple base search

Re: rename field with *

rename field with *

input type checkbox to use conditonal operators

get the values in each line

data and lookup field problem

Join the Conversation