Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About yemyslf
yemyslf
Path Finder
Member since:
05-17-2017
02-22-2025
Community Statistics
| Posts | 13 |
| Solutions | 0 |
| Karma Given | 6 |
| Karma Received | 1 |
| Member Since | 05-17-2017 |
Activity Feed
- Karma Re: Limit search results to items from lookup table for somesoni2. 06-05-2020 12:50 AM
- Karma Re: How to generate a search that will correlate multiple IP addresses that hit the same URL? for gokadroid. 06-05-2020 12:48 AM
- Karma Re: How to generate a search that will correlate multiple IP addresses that hit the same URL? for gokadroid. 06-05-2020 12:48 AM
- Karma Re: How to generate a search that will correlate multiple IP addresses that hit the same URL? for DavidScavotto. 06-05-2020 12:48 AM
- Karma Re: How to throttle an alert using more than one field? for DalJeanis. 06-05-2020 12:48 AM
- Got Karma for Re: How to throttle an alert using more than one field?. 06-05-2020 12:48 AM
- Karma Re: can't get alert results to show in alert e-mail messages for rapmancz. 06-05-2020 12:47 AM
- Posted Re: Limit search results to items from lookup table on Splunk Search. 08-14-2019 01:03 PM
- Posted Re: Limit search results to items from lookup table on Splunk Search. 08-14-2019 12:52 PM
- Posted Re: Limit search results to items from lookup table on Splunk Search. 08-14-2019 12:39 PM
- Posted Limit search results to items from lookup table on Splunk Search. 08-14-2019 08:40 AM
- Tagged Limit search results to items from lookup table on Splunk Search. 08-14-2019 08:40 AM
- Tagged Limit search results to items from lookup table on Splunk Search. 08-14-2019 08:40 AM
- Posted In Splunk Enterprise Security, how do you Include empty results in a tstats search? on Splunk Enterprise Security. 04-02-2019 03:58 PM
- Tagged In Splunk Enterprise Security, how do you Include empty results in a tstats search? on Splunk Enterprise Security. 04-02-2019 03:58 PM
- Tagged In Splunk Enterprise Security, how do you Include empty results in a tstats search? on Splunk Enterprise Security. 04-02-2019 03:58 PM
- Posted Re: How do you exclude an item from a lookup table and an additional condition? on Splunk Search. 03-01-2019 05:37 AM
- Posted How do you exclude an item from a lookup table and an additional condition? on Splunk Search. 02-28-2019 02:32 PM
- Tagged How do you exclude an item from a lookup table and an additional condition? on Splunk Search. 02-28-2019 02:32 PM
- Tagged How do you exclude an item from a lookup table and an additional condition? on Splunk Search. 02-28-2019 02:32 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
08-14-2019
01:03 PM
Thanks for responding. I updated my question to make it more clear. Changing to isnotnull() did not achieve the end result I was looking for. The results still contained items not found in my lookup table.
... View more
08-14-2019
12:52 PM
That's works perfectly. Thanks for the help!
... View more
08-14-2019
12:39 PM
Thanks for the response. I updated my question to make it more clear. Your answer returns results that were not found in my lookup table. In the end, I only want to see the results that contain IP addresses from my lookup table. All others should be excluded.
... View more
08-14-2019
08:40 AM
I have a lookup table which includes a list of IP addresses (field name = ip). I am trying to compose a search which will display only items from my lookup table with a status indicating whether they were found in the index or not.
For example if my lookup table contains 192.168.1.100, 192.168.1.101 and then the index has events with 192.168.1.100 and 192.168.1.102, my results should be something like this:
192.168.1.100 - ipExists
192.168.1.101 - ipNotExists
Note that values 192.168.102 was not listed since it was not found in the lookup table.
I can get the matching results easy enough but I'm not sure how to get the results that don't match without it including all items in the index, even if they are not found in my lookup table.
This is what I have so far which shows matches, but the non matches include items not in the lookup table. In the end, I just want to have an output containing all the IPs listed in my lookup table with a status indicating that they were found/not found.
eventtype=myindex
| lookup mylookup local=true ip OUTPUT ip as matched
| eval matched=if(isnull(matched), "ipExists", "ipNotExists")
... View more
04-02-2019
03:58 PM
I am using tstats to search for some IP addresses. I'm trying to return the count of those IP addresses, which is easy enough. I'd also like to have the IP listed in my search results even if no items were found.
Here is an example of my search using fillnull , but it's only showing the IPs that are found.
Any suggestions on how to accomplish this?
| tstats summariesonly=true allow_old_summaries=true count from datamodel=Web where sourcetype=mysource AND (Web.src = 192.168.1.2 OR Web.src= 192.168.2.3 OR 192.168.3.4) by Web.src
| fillnull value="0"
| rename "Web.*" as *
... View more
03-01-2019
05:37 AM
Thanks for the response. I'm actually trying to exclude events where the device_id is in my lookup table. So doing | search ignore="*" retrieves events that I want to exclude. Because "ignore" isn't a field on the other events, I can't do ignore !="*" . I was using isnull(ignore) because that returns events where there is no ignore field.
... View more
02-28-2019
02:32 PM
I have a lookup table that I'm using to exclude some devices from search results.
index = my_index
| lookup my_table local=true device_id OUTPUT device_id as ignore
| where isnull(ignore)
This works great, but I need to add an additional condition to only exclude devices if they are in the lookup table and the value of the field "code" = 0001. So an event shouldn't be excluded even if it is in the lookup table unless code=0001 and events with code=0001 should be included if they are not in the lookup table.
I've tried the following but this also removes all items where
code=0001
index = my_index
| lookup my_table local=true device_id OUTPUT device_id as ignore
| where (isnull(ignore) AND code!=0001)
I assume this is a dumb mistake in my logic but can't figure out what I'm doing wrong?
... View more
11-19-2018
09:26 AM
I worked out my issue. The request to the API needed the latest_time and earliest_time values and I was providing an absolute time. I needed to use the time_format in my request to indicate the format I was using for my absolute time.
... View more
11-16-2018
12:04 PM
I'm trying to automate a search using the REST API to provide a list of events that occur x seconds before and after a specific event. Similar to the nearby events functionality but I won't be using the same search criteria.
Here's what I'm shooting for. I've got the first two steps down but I'm not sure how handle the time window. Any suggestions?
Search using REST API for specific event_id
Extract username and time from event
Use extracted fields to perform search for events for specified user occurring x seconds before and after extracted time
... View more
Thanks, I was aware of that field but for some reason, I thought separating the different fields with a comma would sever as an OR instead of AND.
So I ended up just entering user,url in the "Suppress results containing field value" box. This supressed events where the User AND URL were the same.
... View more
06-18-2017
02:53 PM
Thanks for the response. Sorry for not responding sooner as I've been tied up with other projects. I'll give this a shot and report back.
So I take it combining the fields as I had done using the eval statement and using that field as the throttle is not possible?
... View more
06-14-2017
02:36 PM
I am trying to setup a throttle on an alert for multiple fields. In the example below, I only want to throttle alerts that contain the same user and url so I should get an alert for all the events except Event 3. I know I could enter url or user in the "Suppress results containing field value" field but then it would suppress other events for that user or url when I only one to suppress the combination of the two. I found another answer where the answer was to use | eval throttle= user.url in the search and then set "throttle" as the alert suppression field. I do see the throttle as a field which has the combined fields, but it's the alert is responding like its not a valid field as I only get one alert until the throttle threshold is met.
Any ideas?
Event 1
user=Mickey@disney.com
url=www.disney.com
Event 2
user=Mickey@disney.com
url=www.starwars.com
Event 3
user=Mickey@disney.com
url=www.disney.com
Event 4
user=Donald@disney.com
url=www.starwars.com
... View more
