cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
kelie
Path Finder
Member since: ‎03-06-2020
‎02-26-2021
Community Statistics
Posts 13
Solutions 0
Karma Given 12
Karma Received 1
Member Since ‎03-06-2020
Activity Feed
View All

Re: Can tables be used with top to display additi...

by SplunkTrust in Splunk Search
‎02-25-2021 12:39 PM
1 Karma
‎02-25-2021 12:39 PM
1 Karma
Hi @kelie, Your final query is not much different than mine, since you do not use UID it is better to remove it as an optimization. Below should give the same result; index=cb eventtype=bit9_carbonblack_alert status=Resolved | stats values(process_name) as Process values(observed_filename) as Filename count as Hits BY md5 | sort 10 -Hits | rename md5 as "MD5 Hash" ... View more

Re: Proper execution of subsearch help

by in Splunk Search
‎02-22-2021 12:16 PM
‎02-22-2021 12:16 PM
im sorry. i did not have the full query. this is the one as it runs now   sourcetype=snort NOT (signature_id=129:7:1 OR signature_id=124:1:1 OR signature_id=142:1:1 OR signature_id=124:7:1 OR signature_id=129:18:1 OR signature_id=129:8:1) [search sourcetype=snort (signature!="(spp_sip)*" (src_ip!=10.10.21.11 AND signature!="*POP3*") AND (src_ip!=10.108.246.111 OR 10.108.243.112 OR 10.108.243.113 OR 10.108.243.114 OR 10.108.243.115 OR 10.108.243.116) AND signature_id!=125:1:1) |top limit=20 src| table src] | stats count, values(signature) as Sigs by src | sort -count | lookup dnslookup clientip as src OUTPUT clienthost as DST_RESOLVED | iplocation src | fields src, count, Country, DST_RESOLVED, Sigs | rename src as "Source IP", count as Count, DST_RESOLVED as "DNS Resolution", Sigs as Signatures ... View more

Re: Join (Inner or left) or Eval to join events fr...

by in Splunk Search
‎03-27-2020 09:35 AM
2 Karma
‎03-27-2020 09:35 AM
2 Karma
In large dataset or high time range, I think this method is the fastest. First, I would recommand to find every MID where the Subject is "Password Expiring Soon" (in case of spam campaign you can have multiple). Then you'll want to find the sender and recipient for each of these MID. From your description it should look something like this : index=email [ search index = email subject="Password Expiring Soon" | table MID | format "(" "(" "" ")" "OR" ")" ] | stats values(subject) AS Subject, values(sender) AS sender, values(recipient) AS recipient BY MID 3no ... View more

Re: How to include another field into the visual

by in Dashboards & Visualizations
‎03-09-2020 10:43 AM
1 Karma
‎03-09-2020 10:43 AM
1 Karma
Be sure to come back here and click Accept to close the question and also UpVote any answers or comments that were useful. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎02-26-2021 01:23 PM
Karma from
View All
Karma given to