Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- About hawkeyesc72
hawkeyesc72
Engager
Member since:
09-24-2025
05-07-2026
Community Statistics
| Posts | 10 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 0 |
| Member Since | 09-24-2025 |
Activity Feed
- Posted Re: Trouble tabling email details on Splunk Search. 05-07-2026 04:49 AM
- Posted Re: Cluster map dot clicks not returning correct info on Dashboards & Visualizations. 05-06-2026 01:28 PM
- Posted Re: Trouble tabling email details on Splunk Search. 05-06-2026 01:27 PM
- Posted Re: Trouble tabling email details on Splunk Search. 05-06-2026 01:26 PM
- Posted Re: Trouble tabling email details on Splunk Search. 05-06-2026 01:24 PM
- Posted Trouble tabling email details on Splunk Search. 05-06-2026 01:22 PM
- Posted Cluster map dot clicks not returning correct info on Dashboards & Visualizations. 04-22-2026 05:06 AM
- Posted Re: query using file with list of names on Splunk Search. 09-24-2025 12:28 PM
- Posted Re: query using file with list of names on Splunk Search. 09-24-2025 08:34 AM
- Posted query using file with list of names on Splunk Search. 09-24-2025 07:48 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 |
05-07-2026
04:49 AM
The data seems to be visible in the events. I can see the fields in the Selected Fields section as well as within the events themselves. So the data is there, I'm just not sure why I can see it but not table it with the other information I want to table.
... View more
05-06-2026
01:28 PM
Resolved.
... View more
05-06-2026
01:27 PM
Adding P1Sender to search statement blocks everything and nothing gets returned.
... View more
05-06-2026
01:26 PM
Recipient count, recipient names and subject all work as well. But trying to add in P1Sender, nothing happens.
... View more
05-06-2026
01:24 PM
P1Sender by itself works. I blocked out most of the information for privacy reasons.
... View more
05-06-2026
01:22 PM
I want to build a small dashboard that offers a quick view into emails a user has recently received. If I use this, I can get the sender address tabled properly: (1). index=office365 | table P1Sender | search P1Sender=* If I use this, I can get recipient count, recipient names and subject tabled properly: (2). index=office365 | table Item.RecipientsCount, Item.Recipients{}.Name, Item.Subject | search Item.Recipients{}.Name=*, Item.Subject=* My problem is I cannot get them tabled together in the same results view. If I try and add P1Sender to the (2) SPL table, I get an empty column. If I add P1Sender=* to the (2) search statement I get 0 results in every column. Any advice? Screenshots of SPL and results in replies.
... View more
Labels
- Labels:
-
table
04-22-2026
05:06 AM
Hi all, I'm hoping someone can help me with this. I've been working on it for a few weeks and can't figure it out. Thank you in advance for any assistance you may be willing/able to offer. OK, here's the situation: I've got a 2 panel dashboard: statistics table on left and cluster map on right. The table side seems to be working great. The map is populating, but when I click on a dot to open a new tab and get more details I keep running into a "phantom IP'-type of issue. Dashboard XML: <form version="1.1" theme="light"> <label>Impossible Travel (ALL USERS)</label> <fieldset submitButton="true" autoRun="true"> <input type="time" token="time_tok" searchWhenChanged="false"> <label>Time Range</label> <default> <earliest>-96h@h</earliest> <latest>now</latest> </default> </input> <input type="text" token="user_search_tok" searchWhenChanged="false"> <label>Search User (Email or First Last)</label> <default>*</default> </input> </fieldset> <row> <panel> <table> <search> <query>index=okta outcome.result IN ("SUCCESS", "ALLOW") NOT (client.ipAddress="34.192.0.0/12" OR client.ipAddress="34.194.*") NOT (*Guest* OR *Bontemps* OR "Okta System*" OR "Okta Dashboard*" OR "Okta Browser Plugin" OR "Pharos Beacon" OR "EchoVideo" OR "Omnigo Identity Server" OR "Drata" OR "Okta Administration" OR "Active Directory Agent") | iplocation client.ipAddress | eval City = if(cidrmatch("149.150.0.0/16", client.ipAddress), "SHU Campus", City) | sort 0 actor.alternateId _time | streamstats window=2 current=f last(lat) as prev_lat last(lon) as prev_lon last(City) as prev_city last(Country) as prev_country last(Region) as prev_state last(_time) as prev_time by actor.alternateId | where isnotnull(prev_city) AND City != prev_city | eval duration = _time - prev_time | eval h = floor(duration/3600) | eval m = floor((duration%3600)/60) | eval Time_Between = case(h > 0, h."hr ".m."min", m > 0, m."min", 1=1, "0min") | where duration <= 7200 | eval user_name = coalesce('actor.displayName', display_name, "Unknown") | eval lat1 = lat*pi()/180, lon1 = lon*pi()/180, lat2 = prev_lat*pi()/180, lon2 = prev_lon*pi()/180 | eval dlat = lat2 - lat1, dlon = lon2 - lon1 | eval a = pow(sin(dlat/2),2) + cos(lat1) * cos(lat2) * pow(sin(dlon/2),2) | eval c = 2 * atan2(sqrt(a), sqrt(1-a)) | eval distance_miles = round(3958.8 * c, 2) | eval City = mvappend(prev_city, City) | eval State = if(prev_state == Region, Region, mvappend(prev_state, Region)) | eval Country = if(prev_country == Country, Country, mvappend(prev_country, Country)) | fieldformat _time = strftime(_time, "%d %b %Y %l:%M%p") | sort - _time | table _time, user_name, actor.alternateId, City, State, Country, distance_miles, Time_Between | rename user_name as "User", actor.alternateId as "Email", distance_miles as "Mileage", Time_Between as "Time Between Entries"</query> <earliest>$time_tok.earliest$</earliest> <latest>$time_tok.latest$</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> <format type="color" field="Country"> <colorPalette type="expression">if(value != "United States" AND isnotnull(value) AND value != "" AND value != "Internal/NJ" AND value != "SHU Campus", "#27F2F5", "")</colorPalette> </format> <format type="color" field="Mileage"> <colorPalette type="expression">case(value > 1000, "#FFFF00")</colorPalette> </format> </table> </panel> <panel> <title>Impossible Travel Map</title> <map> <search> <query>index=okta outcome.result IN ("SUCCESS", "ALLOW") NOT (client.ipAddress="34.192.0.0/12" OR client.ipAddress="34.194.*") NOT (*Guest* OR *Bontemps* OR "Okta System*" OR "Okta Dashboard*" OR "Okta Browser Plugin" OR "Pharos Beacon" OR "EchoVideo") | iplocation client.ipAddress | eval City = if(cidrmatch("149.150.0.0/16", client.ipAddress), "SHU Campus", City) | sort 0 actor.alternateId _time | streamstats window=2 current=f last(City) as prev_city last(_time) as prev_time by actor.alternateId | where isnotnull(prev_city) AND City != prev_city | eval duration = _time - prev_time | where duration <= 7200 | geostats latfield=lat longfield=lon globallimit=0 maxzoomlevel=18 count by client.ipAddress</query> <earliest>$time_tok.earliest$</earliest> <latest>$time_tok.latest$</latest> </search> <option name="height">600</option> <option name="mapping.seriesColors">[0x00FF00, 0xFFFF00, 0xFF00FF, 0x00FFFF, 0xFFFFFF, 0xFF9900]</option> <option name="mapping.type">marker</option> <option name="refresh.display">progressbar</option> <drilldown> <link target="_blank"> <![CDATA[/app/search/search?q=search index=okta | iplocation client.ipAddress | where (lat > ($click.lat$ - 0.1) AND lat < ($click.lat$ + 0.1)) AND (lon > ($click.lon$ - 0.1) AND lon < ($click.lon$ + 0.1)) | eval City = if(cidrmatch("149.150.0.0/16", client.ipAddress), "SHU Campus", City) | table _time, actor.alternateId, City, client.ipAddress, outcome.result&earliest=$time_tok.earliest$&latest=$time_tok.latest$]]> </link> </drilldown> </map> </panel> </row> </form> Dot click SPL returned in new tab: The SPL returned varies a bit. The overall general format is index=okta | iplocation client.ipAddress | search City="*104.28.56.1*" OR client.ipAddress="*104.28.56.1*" | eval City = if(cidrmatch("149.150.0.0/16", client.ipAddress), "SHU Campus", City) | table _time, actor.alternateId, City, client.ipAddress, outcome.result However, the IP address in City="IP" OR client.ipAddress = "IP" varies depending on the search timeframe. I get different IPs returned for 4, 8, 12 and 24 hour searches. What I'm trying to get to is when I click the dot a new tab opens and I see details about the user, IP address and location coming from and (if possible) IP address and location going to in that dot region. I feel like everything is good except for the dot click details that get returned.
... View more
Labels
- Labels:
-
Classic dashboard
09-24-2025
12:28 PM
Took a little tweaking but I finally got it to run. This will save us a ton of time in the long run. Thank you both for the suggestions!
... View more
09-24-2025
08:34 AM
Thank you! I will definitely start checking these out! I appreciate the assist!
... View more
09-24-2025
07:48 AM
I've got a list of over 100 account names and I'd like to search Splunk to find out the most recent activity (if any) the account performed. Is it possible to create a search query that points Splunk to the file, it grabs the account names from the file, then performs some configured search and returns the results I need in a table? I'd prefer not having to go through each account name one by one. Thank you in advance for any help you can provide.
... View more
Labels
- Labels:
-
other
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
05-07-2026
04:44 AM
|
