Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About shakermaker
shakermaker
Explorer
Member since:
04-15-2013
06-05-2020
Community Statistics
| Posts | 11 |
| Solutions | 0 |
| Karma Given | 2 |
| Karma Received | 3 |
| Member Since | 04-15-2013 |
Activity Feed
- Karma Re: Counting Totals in CSV Lookup and return results to query for fdi01. 06-05-2020 12:47 AM
- Karma Re: Remove fixed string from multivalue field for woodcock. 06-05-2020 12:47 AM
- Got Karma for Re: Counting Totals in CSV Lookup and return results to query. 06-05-2020 12:47 AM
- Got Karma for Re: Counting Totals in CSV Lookup and return results to query. 06-05-2020 12:47 AM
- Got Karma for Re: Counting Totals in CSV Lookup and return results to query. 06-05-2020 12:47 AM
- Posted Re: How to edit my search to show the trending Malware Infection Rate in our company, not just one-time results? on Splunk Search. 09-02-2015 07:36 AM
- Posted Re: How to edit my search to show the trending Malware Infection Rate in our company, not just one-time results? on Splunk Search. 09-02-2015 06:54 AM
- Posted Re: How to edit my search to show the trending Malware Infection Rate in our company, not just one-time results? on Splunk Search. 09-02-2015 05:11 AM
- Posted How to edit my search to show the trending Malware Infection Rate in our company, not just one-time results? on Splunk Search. 09-02-2015 03:28 AM
- Tagged How to edit my search to show the trending Malware Infection Rate in our company, not just one-time results? on Splunk Search. 09-02-2015 03:28 AM
- Tagged How to edit my search to show the trending Malware Infection Rate in our company, not just one-time results? on Splunk Search. 09-02-2015 03:28 AM
- Tagged How to edit my search to show the trending Malware Infection Rate in our company, not just one-time results? on Splunk Search. 09-02-2015 03:28 AM
- Tagged How to edit my search to show the trending Malware Infection Rate in our company, not just one-time results? on Splunk Search. 09-02-2015 03:28 AM
- Tagged How to edit my search to show the trending Malware Infection Rate in our company, not just one-time results? on Splunk Search. 09-02-2015 03:28 AM
- Posted Remove fixed string from multivalue field on Splunk Search. 06-19-2015 06:18 AM
- Tagged Remove fixed string from multivalue field on Splunk Search. 06-19-2015 06:18 AM
- Tagged Remove fixed string from multivalue field on Splunk Search. 06-19-2015 06:18 AM
- Tagged Remove fixed string from multivalue field on Splunk Search. 06-19-2015 06:18 AM
- Posted Re: Counting Totals in CSV Lookup and return results to query on Splunk Search. 04-23-2015 05:41 AM
- Posted Re: Counting Totals in CSV Lookup and return results to query on Splunk Search. 04-23-2015 05:09 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 |
09-02-2015
07:36 AM
Indeed a typo, but it still does not work. The query does not return results.
If I remove the timechart piece, I do see results (for the selected timeperiod).
Department InfectedAssets InfectionRate TotalAsset
Finance 10 8,3310 120
HR 7 8,75 80
... View more
09-02-2015
06:54 AM
Doesn't seem to be right. I got the following error:
The specifier 'list' is invalid. It must be in form <func>(<field>). For example: max(size).
... View more
09-02-2015
05:11 AM
Yes, a timechart would do it.
... View more
09-02-2015
03:28 AM
Hi,
I am doing an analysis on malware infections in our company, more precisely per department. Working with total number of infections is not very representative, since one department may have more PCs than other departments. So I focus on the infection rate (Infected Assets / TotalAssets)
I have a (more or less) stable list of PCs assigned to each department > assetinfo.csv.
Asset, Department, Location
PC1, Hr, Houston
PC2, Finance, New York
…and a temporary table (updated once a month) with the total count of assets by department > count_of_assets_by_department.csv.
Department Count of Assets
HR, 1000
Finance, 2500
I do have a working search that shows me the infection rate for each department (at least I think it works properly)
| inputlookup count_of_assets_by_department.csv | appendcols [search index=infection | dedup shost | lookup assetinfo.csv Asset as shost OUTPUT Department | stats count as "InfectedAssets" by Department] | eval InfectionRate=(InfectedAssets/TotalAssets)*100 | table Department, TotalAssets, InfectedAssets, InfectionRate
The problem:
The search above is showing once-off results only. I would like to do trending (see below), but I do not know how to achieve this.
Week 36 Week 37 Week 38
HR 2% 3% 4%
Finance 5% 6% 3%
Appreciate your support!
... View more
06-19-2015
06:18 AM
Hi,
I have a field alert which contains the following events:
“Failed Logon”
“Dropped Database”
However, sometimes the source application adds the string “Multiple - “ before it. Hence when running stats I end up with results like:
“Failed Logon” 9
“Multiple - Failed Logon” 1
“Dropped Database” 2
“Multiple - Dropped Database” 3
I am looking for way to remove the string “Multiple - ” from the event field. The results should look like
“Failed Logon” 10
“Dropped Database” 5
Appreciate your help!
... View more
04-23-2015
05:41 AM
Thx fdi01!
This is much better.
... View more
04-23-2015
05:09 AM
I tried to run your proposal but received the following error.
Error in 'inputlookup' command: This command must be the first command of a search.
Did it work on your end?
... View more
04-23-2015
04:39 AM
3 Karma
I think I solved it...If there is a smarter way, please do let me know.
The number of total assets per Department is stored in another lookup
| inputlookup "assetinfo.csv" | stats count As "TotalAssets" by Department | outputlookup "tmp_total_assets_by_Dept.csv"
In the main query I perform a lookup against the tmp lookup table...
infection_status!=”infected” | stats count As "InfectedAssets" by Department | lookup tmp_total_assets_by_Dept Department as Department OUTPUT "TotalAssets" | eval percentage=(InfectedAssets/TotalAssets)*100
,,,and than eval the two columns to get the percentage.
... View more
04-23-2015
02:53 AM
Thank you for your help, but I am not sure if this is really it? Let me try to be a simple as possible…
If my first search returns total number of infected assets by Dept.)
**infection_status!=”infected” | stats count by department**
HR – 10
IT – 2
FINANCE – 20
And the second search returns the total number of known assets by Dept.
| inputlookup "assets.csv" | stats count by Department
HR – 100
IT – 50
FINANCE - 150
Then I just want to get a table showing the infection rate by Dept. (number of infected assets / number of known assets)
HR = 10%
IT=4%
FINANCE=13,3%
... View more
04-23-2015
01:31 AM
The lookup CSV ("assets.csv") is structured like this:
MachineID - Department
PC1-HR
PC2-IT
PC3-FINANCE
PC4–IT
PC5-HR
PC6-HR
PC7-IT
I am able to calculate the total number of assets by department in the CSV using:
| inputlookup "assets.csv" | stats count by Department
which would return
HR – 3
IT – 3
FINANCE –1
But how do I take each of the values back to the main query?
... View more
04-22-2015
11:53 PM
Hi,
I have a simple query that counts the number of virus infected machines by different departments.
infection_status!=”infected” | stats count by department
resulting in:
HR – 10
IT – 2
FINANCE – 20
To achieve the above I have a lookup csv in place that links each machine name to a department. The csv looks sth. like this.
PC-1 - HR
PC-2 - IT
PC-3 - FINANCE
PC-4 – IT
…
I would like to put the count of infected assets in relation to the total number of known assets in each department. Hence I am looking for way to count the total number of known HR, IT, FINANCE machines (from the lookup csv) and use the results in my first query to get a infection rate, e.g.
HR – 10/100 = 10%
IT – 2/50 = 4%
FINANCE – 20/150 = 13,3%
... View more
