Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About florencegoh
florencegoh
New Member
Member since:
08-31-2017
06-05-2020
Community Statistics
| Posts | 13 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 0 |
| Member Since | 08-31-2017 |
Activity Feed
- Posted Re: Count does not shown as 0 when the username is not found in the sourcetype on Splunk Search. 10-29-2017 06:43 PM
- Posted Re: Count does not shown as 0 when the username is not found in the sourcetype on Splunk Search. 10-27-2017 02:57 AM
- Posted Re: Count does not shown as 0 when the username is not found in the sourcetype on Splunk Search. 10-25-2017 09:52 PM
- Posted Count does not shown as 0 when the username is not found in the sourcetype on Splunk Search. 10-25-2017 01:48 AM
- Tagged Count does not shown as 0 when the username is not found in the sourcetype on Splunk Search. 10-25-2017 01:48 AM
- Tagged Count does not shown as 0 when the username is not found in the sourcetype on Splunk Search. 10-25-2017 01:48 AM
- Tagged Count does not shown as 0 when the username is not found in the sourcetype on Splunk Search. 10-25-2017 01:48 AM
- Posted Re: Find users based on a lookup list showing users that have and have not logged in on Splunk Search. 10-23-2017 09:32 PM
- Posted Re: Find users based on a lookup list showing users that have and have not logged in on Splunk Search. 10-16-2017 11:16 PM
- Posted Re: Find users based on a lookup list showing users that have and have not logged in on Splunk Search. 10-16-2017 11:13 PM
- Posted Find users based on a lookup list showing users that have and have not logged in on Splunk Search. 10-16-2017 02:39 AM
- Tagged Find users based on a lookup list showing users that have and have not logged in on Splunk Search. 10-16-2017 02:39 AM
- Tagged Find users based on a lookup list showing users that have and have not logged in on Splunk Search. 10-16-2017 02:39 AM
- Tagged Find users based on a lookup list showing users that have and have not logged in on Splunk Search. 10-16-2017 02:39 AM
- Tagged Find users based on a lookup list showing users that have and have not logged in on Splunk Search. 10-16-2017 02:39 AM
- Posted Re: Find user that have latest login on Security. 10-16-2017 02:28 AM
- Posted Find user that have latest login on Security. 10-15-2017 08:55 PM
- Tagged Find user that have latest login on Security. 10-15-2017 08:55 PM
- Tagged Find user that have latest login on Security. 10-15-2017 08:55 PM
- Tagged Find user that have latest login on Security. 10-15-2017 08:55 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
10-29-2017
06:43 PM
This is the search result shows as all value are 0 for the above query
username datsource count
user1 db1 0
user2 db2 0
user1 db2 0
It is showing the correct number of inputlookup testconn file where there is 3 records.
But the count is not picking up the user1 connection to datsource of db1, user2 connection to datsource of db2 and user1 datsource of db2. (Note: user1 username is on both db1 and also db2)
The result should be something similiar as below.
username datsource count
user1 db1 8
user2 db2 0 - assume there are no event logs found and should show
as 0.
user1 db2 6
... View more
10-27-2017
02:57 AM
the result shows are with values and compares against all datsource.
The results of wanted is that if there based on the inputlookup eg
username datsource
user1 db1
user2 db2
user1 db2
return results based on fixed number of inputlookup file with 3 username
username datsource count(username)
user1 db1 10
user2 db2 0
user1 db2 8
... View more
10-25-2017
09:52 PM
Hi The above works..
If i need to use two fields in testconn inputlookup file to match against the events the result shows will be all 0 shown.
Here is the constructed command. Can advise on this.
index=main sourcetype=oracle ACTION_NAME=LOGON [inputlookup testconn|fields username,datsource]
| stats count(username) as uTotal,count(source) as sTotal by username datsource
| append [ | inputlookup testconn|fields username,datsource | eval uTotal=0,sTotal=0]
| stats max(uTotal),max(sTotal) by username datsource
The result is to shown username and datsource have total of the access and shown 0 with at the total of the access if there is no access.
sample output
username datsource uTotal sTotal
test1 DB1 10 10
test2 DB2 0 0
test1 DB1 0 0
... View more
10-25-2017
01:48 AM
Hi,
I want to shown the Total as 0 if username in lookup table has not event log . Using the fillnull value , it does not shown the results.
index=main sourcetype=oracle_ ACTION_NAME=LOGON [inputlookup testconn|fields username]|stats count AS Total by user |fillnull value=NULL
How to go changing it ? Would appreciate any advise.
... View more
10-23-2017
09:32 PM
Hi cusello, the suggested query still does append those user that has not login. Is there any other ways to put the value as 0 or '-' for the last_login and source when user does not login.
... View more
10-16-2017
11:16 PM
There are some user that has the sames name from different source. Have try the above query but it 's return all user login not based on the inputlookup yyyy list.
Any suggestion ?
... View more
10-16-2017
11:13 PM
I still getting not the full listing of the user from inputlookup yyyy file. Any other suggestions ?
... View more
10-16-2017
02:39 AM
I have list of lookup list yyyy which I want to shown the latest login based on max login time and also user that did not login.
How to reconstruct the query to allow to show both in one table?
index=main sourcetype=xxxx [inputlookup yyyy |fields account_name|rename account_name as query] |search ACTION_NAME=LOGON RETURNCODE=0| stats max(_time) as login_time by user,source| eval login_time=strftime(login_time,"%Y/%m/%d %H:%M:%S")| table user,source,login_time
... View more
10-15-2017
08:55 PM
I have a listed lookup table xxx .
When I run the below search. it shows no results.
inputlookup xxxx|fields USERNAME|search index=main sourcetype=oracle_aud user=CONN| stats count(user) by source,user
What can be the issue ?
Have check that there is no issue with the lookup table xxx |inputlookup xxxx.
Anyone can provide some good advise?
... View more
10-13-2017
01:28 AM
Hi,
where do you configure that ? New to it.
Regards,
... View more
10-12-2017
07:25 PM
Getting the outputs of the table when running "|inputlookup.csv.
I have run that suggested command. but still getting the error as "could not find all the specified lookup fields in the lookup table".
Any suggestion ?
... View more
10-12-2017
02:50 AM
Hi,
When configuring the lookup table, i receive the following error The lookup table 'xxxx' does not exist. It is referenced by configuration 'yyyyy'.
index=main sourcetype=yyyy [|inputlookup xxxx.csv |fields account_name] | chart count(username) by username
The objective of is to find a list of accounts listed in xxxx.csv field and count the number of time the user login from the sourcetype yyyy.
Please advise what could be the error
... View more
- Tags:
- splunk-enterprise
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:03 AM
|
