Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About aba83
aba83
Explorer
Member since:
05-18-2017
06-05-2020
Community Statistics
| Posts | 9 |
| Solutions | 0 |
| Karma Given | 2 |
| Karma Received | 0 |
| Member Since | 05-18-2017 |
Activity Feed
- Karma Re: How to remove a prefix on a field during search? for kmorris_splunk. 06-05-2020 12:48 AM
- Karma Re: Do I need to use the join command to combine three searches (including one search with the transaction command)? for lguinn2. 06-05-2020 12:48 AM
- Posted Re: Cluster map not showing all countries on All Apps and Add-ons. 06-08-2017 02:27 PM
- Posted Cluster map not showing all countries on All Apps and Add-ons. 06-07-2017 03:42 PM
- Tagged Cluster map not showing all countries on All Apps and Add-ons. 06-07-2017 03:42 PM
- Tagged Cluster map not showing all countries on All Apps and Add-ons. 06-07-2017 03:42 PM
- Tagged Cluster map not showing all countries on All Apps and Add-ons. 06-07-2017 03:42 PM
- Posted Re: Do I need to use the join command to combine three searches (including one search with the transaction command)? on Splunk Search. 05-22-2017 01:17 PM
- Posted Re: Do I need to use the join command to combine three searches (including one search with the transaction command)? on Splunk Search. 05-22-2017 01:08 PM
- Posted Re: Do I need to use the join command to combine three searches (including one search with the transaction command)? on Splunk Search. 05-19-2017 04:58 PM
- Posted Do I need to use the join command to combine three searches (including one search with the transaction command)? on Splunk Search. 05-19-2017 03:39 PM
- Tagged Do I need to use the join command to combine three searches (including one search with the transaction command)? on Splunk Search. 05-19-2017 03:39 PM
- Tagged Do I need to use the join command to combine three searches (including one search with the transaction command)? on Splunk Search. 05-19-2017 03:39 PM
- Tagged Do I need to use the join command to combine three searches (including one search with the transaction command)? on Splunk Search. 05-19-2017 03:39 PM
- Tagged Do I need to use the join command to combine three searches (including one search with the transaction command)? on Splunk Search. 05-19-2017 03:39 PM
- Posted Re: How to remove a prefix on a field during search? on Splunk Search. 05-19-2017 12:47 PM
- Posted Re: How to remove a prefix on a field during search? on Splunk Search. 05-19-2017 12:16 PM
- Posted How to remove a prefix on a field during search? on Splunk Search. 05-18-2017 04:02 PM
- Tagged How to remove a prefix on a field during search? on Splunk Search. 05-18-2017 04:02 PM
- Tagged How to remove a prefix on a field during search? on Splunk Search. 05-18-2017 04:02 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 |
06-07-2017
03:42 PM
Hi all,
I'm trying to create a cluster map out of this search string. It looks at distinct user logins from each country. When I run this string, I get a return of about 15 different countries that all have a different count.
(index=mensa_exchange-prod sourcetype=iis cs_uri_stem="/owa/auth.owa" NOT LogoffReason=* OriginalIP=*)
OR (index=mensa_radius-prod acct_status_type=1 acct_delay_time=0 vendor=Reserved NOT Wireless) OR (index=mensa_exchange-prod cs_User_Agent="Microsoft+Office*" sc_status=200 cs_username=*)
| append [ search index=mensa_radius-prod vendor=Microsoft NOT Wireless
| transaction user, Client_Friendly_Name maxspan=1 startswith=acct_session_id=* endswith=action=success ]
| eval clientIP=if(index="mensa_exchange-prod",OriginalIP,tunnel_client_endpoint)
| rename cs_username AS User
| iplocation clientIP
| search Country=*
| rex field=user "\w{3}\\\(?<user>\S+)"
| eval User=lower(user)
| stats dc(User) by Country
When I change the "stats" command to "geostats" it only shows logins from the US for some reason. What am I missing? Thanks in advance.
... View more
05-22-2017
01:17 PM
Fixed it, it was the if statement. Thank you for your help.
... View more
05-22-2017
01:08 PM
The transaction search works now, but now the records from the
index=mensa_exchange-prod sourcetype=iis cs_uri_stem="/owa/auth.owa" NOT LogoffReason=* OriginalIP=*
isn't coming through.
... View more
05-19-2017
04:58 PM
At the moment I have this search that combines the first two searches.
(index=mensa_exchange-prod sourcetype=iis cs_uri_stem="/owa/auth.owa" user=* NOT LogoffReason=* OriginalIP=*) OR (index=mensa_radius-prod acct_status_type=1 acct_delay_time=0 vendor=Reserved tunnel_client_endpoint=* user=* NOT Wireless) | iplocation OriginalIP | iplocation tunnel_client_endpoint | search Country!="United States" | rex field=user "\w{3}\\\(?\S+)" | eval User=lower(user) |table User Country | stats values(Country) as country dc(Country) as Count by User | sort User
Now I just have to figure out how to add the last one with the transaction. I'm assuming a join, any help would be greatly appreciated.
... View more
05-19-2017
03:39 PM
Hi, I'm trying to combine my three searches so I can see which users are logging in from multiple locations at one time. At the moment, I have these three searches.
index=mensa_exchange-prod sourcetype=iis cs_uri_stem="/owa/auth.owa" NOT LogoffReason=* OriginalIP=* | iplocation OriginalIP | search Country=* NOT Country="United States"| rex field=user "\w{3}\\\(?\S+)" | eval User=lower(user) |table User Country | stats values(Country) as country dc(Country) as Count by User | sort User
index=mensa_radius-prod acct_status_type=1 acct_delay_time=0 vendor=Reserved NOT Wireless | iplocation tunnel_client_endpoint | search Country=* NOT Country="United States" | rex field=user "\w{3}\\\(?\S+)" | eval User=lower(user) | table User Country | stats values(Country) as Country dc(Country) as Count by User | sort User
index=mensa_radius-prod vendor=Microsoft NOT Wireless | transaction user, Client_Friendly_Name maxspan=1 startswith=acct_session_id=* endswith=action=success | iplocation tunnel_client_endpoint | search Country=* NOT Country="United States" | rex field=user "\w{3}\\\(?\S+)" | eval User=lower(user) |table User Country | stats values(Country) as country dc(Country) as Count by User | sort User
I was thinking the way to do this is to use a join; however, I don't know how that works if I have a transaction command. Is there another way to use this or do I have to use a JOIN? If I do use a join, how would I go about it? Thanks!
... View more
05-19-2017
12:47 PM
This worked, thank you!
... View more
05-19-2017
12:16 PM
Sorry, user is the column name. It's just sometimes those fields in the column populate either with just the abc123 or they populate with NAU\abc123. They aren't consistent. Sorry for the confusion. I'm trying to make it so every field in the user column is just the userid without the prefix "NAU\".
... View more
05-18-2017
04:02 PM
Hello, I'm trying to normalize a field during search. I have the field "user" and some of the fields are "NAU\abc123". I'm trying to remove the prefix "NAU\". All I want is the abc123 part of it. Is there a way to remove that prefix in search? Thanks in advance.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:03 AM
|
