Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About bulu
bulu
New Member
Member since:
09-16-2017
06-05-2020
Community Statistics
| Posts | 5 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 0 |
| Member Since | 09-16-2017 |
Activity Feed
- Posted Re: change colon to dash in Search on Splunk Search. 02-10-2020 06:03 AM
- Posted Re: change colon to dash in Search on Splunk Search. 02-07-2020 01:09 PM
- Posted change colon to dash in Search on Splunk Search. 02-07-2020 10:48 AM
- Tagged change colon to dash in Search on Splunk Search. 02-07-2020 10:48 AM
- Posted Re: How do I use the username in events returned in a search of Index "A" to look up the user in index "B" and only return the events where the user in event from index "A" exists in index "B" on Splunk Search. 09-17-2017 02:06 PM
- Posted How do I use the username in events returned in a search of Index "A" to look up the user in index "B" and only return the events where the user in event from index "A" exists in index "B" on Splunk Search. 09-16-2017 06:35 PM
- Tagged How do I use the username in events returned in a search of Index "A" to look up the user in index "B" and only return the events where the user in event from index "A" exists in index "B" on Splunk Search. 09-16-2017 06:35 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 |
02-10-2020
06:03 AM
As I said in the beginning, I'm just a beginner with Splunk. I search a DHCP database for the MAC address that had an IP address lease on a certain date. The DHCP database returns the MAC in the format a4:fc:77:3b:08:b7, I'm looking for a search string to search the Splunk logs on a specific date, currently I'm running the search below but I have to manually change the colons into dashes:
index=foo "a4-fc-77-3b-08-b7"
Everything I've tried so far has either failed or not returned the required information.
... View more
02-07-2020
01:09 PM
If i put the below strings into the search bar it returns the MAC address in the correct format, but it only searches today's logs despite what date range I've selected
| makeresults
| eval mac="a4:fc:77:3b:08:b7"
| rex field=mac mode=sed "s/:/-/g"
_time mac
2020-02-07 16:06:42 a4-fc-77-3b-08-b7
... View more
02-07-2020
10:48 AM
First, let me start by saying I am not a programmer, a Splunk expert, highly experienced with Regex or SED. I say this so you understand if you offer an answer please do not leave any steps out expecting I know what should fill in the blanks.
I get MAC addresses in the format of 00:00:00:00:00:00 but the logs I need to search are in the format of 00-00-00-00-00-00, I'm looking for a way for Search to take the input with colons and convert the colons to dashes before executing the search so we do not have to manually change before executing our search.
... View more
- Tags:
- splunk-enterprise
09-17-2017
02:06 PM
This part of the search returns all of the events where the user full name and emergency contact full name match, and the service area is a service area I am concerned with.
index="A"
| rex mode=sed field=User_Full_Name "s/ //g"
| eval User_Full_Name = LOWER(User_Full_Name)
| rex mode=sed field=Emergency_Contact1 "s/ //g"
| eval Emergency_Contact1 = LOWER(Emergency_Contact1)
| eval results = if(match(Emergency_Contact1,User_Full_Name), "match", "no match")
| dedup User_Full_Name
| search results="match"
| eval Service_Areas=split(Patient_Service_Areas, ",")
| search Service_Areas="50*"
The problem is about 80% of the returned results are false positives for my purposes so I need to execute an additional search that takes the user logon ID (user's Windows AD username) from a returned event and looks it up in our identity management system (contained in a different index) to see if the user is one of our users or not, and only return the events where the user in the event exists in our identity management system. That's where I try to work this search in.
| eval User_Logon_ID = LOWER(User_Logon_ID)
| search index="B"
| eval HSCNET_ID = LOWER(HSCNET_ID)
| eval results = if(match(User_Logon_ID,HSCNET_ID), "USF", "no USF")
| search results="USF"
... View more
09-16-2017
06:35 PM
This part of my query gets me on the street I want to be on for this report
index="A"
| rex mode=sed field=User_Full_Name "s/ //g"
| eval User_Full_Name = LOWER(User_Full_Name)
| rex mode=sed field=Emergency_Contact1 "s/ //g"
| eval Emergency_Contact1 = LOWER(Emergency_Contact1)
| eval results = if(match(Emergency_Contact1,User_Full_Name), "match", "no match")
| dedup User_Full_Name
| search results="match"
| eval Service_Areas=split(Patient_Service_Areas, ",")
| search Service_Areas="50*"
This syntax does not return any results even though I know I have matches in my testing data
| eval User_Logon_ID = LOWER(User_Logon_ID)
| search index="B"
| eval HSCNET_ID = LOWER(HSCNET_ID)
| eval results = if(match(User_Logon_ID,HSCNET_ID), "USF", "no USF")
| search results="USF"
... View more
- Tags:
- splunk-enterprise
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:03 AM
|
