Does this work: |rex "serial\s(?<SERIALNUMB>\d+)" ... View more

Before we address the transaction, you say, "without using the serial number which I've not been able to map to the same field name,"... Will a rex not work to get you the serial number, then you could use the serial number for the transaction? ... View more

I think, in your rex statement you may need to identify the field. | rex field=max_match But, I may be misunderstanding what you have. If you can provide a sample event I may be able to help more. ... View more

Hey Vellas78, in my logs I only have the bytes so you may need to do the addition for your data. | eval MB=((bytes_in+bytes_out)/1024) | stats sum(MB) ... View more

As long as the "terminal" is extracted and in each event it should work. But I do not see the "terminal" in the first line. 21:43:37] Port Msg In: Port# 18, String W00CBA_3DES , Length 19 I may be misunderstanding the issue. ... View more

You may want to use stats instead of Top as it does other logic. I did something a little different: search | eval MB=(BYTES/1024) | eval GB=(MB/1024) | stats sum(GB) by host ... View more

I think you can do a join and then search again. index=omi_Uat host=DEFRNCMP* sourcetype=all_events_attributes | eval {idx} = elt | fields ID,UMN,TicketID,node | top limit=10 UMN | join UMN [search index=omi_Uat host=DEFRNCMP* sourcetype=all_events_attributes | eval {idx} = elt | fields ID,UMN,TicketID,node] | fields UMN ID TicketID node ... View more

If you have a common field in 2 different sources you may be able to crate an Alias for the fields. https://docs.splunk.com/Documentation/Splunk/7.2.6/Knowledge/Addaliasestofields ... View more

I think you can do the original search and then do a localize to search again with the new criteria: index=? "ErrorCode0123" | localize timebefore=3s timeafter=3s | map search="search sourcetype="?" source="?" starttimeu=$starttime$ endtimeu=$endtime$" ... View more

Are either the source or destination of the same subnet? If they are you could do source="10.0.0.*". If not, then you can do the CIDR but that still limits you to a specific range you would just be able to have broader range. ... View more

I think you might be looking for something like this: index=INDEX sourcetype=SOURCETYPE "REST OF SEARCH" earliest=-8d@d latest=-1d@d | multikv | eval ReportKey="Last Week" | append [ search index=INDEX sourcetype=SOURCETYPE "REST OF SEARCH" earliest=-15d@d latest=-8d@d | multikv | eval ReportKey="Previous Week" | eval _time=_time+60*60*24*7] | stats FUNCTION by ReportKey I use this to compare weeks without having to do each week manually. ... View more

json formatting can be tricky. Can you use rex? | rex "\s\"value\_secs\"\:\s(?\d+)" ... View more

See if that works. ... View more

| rex field=PhysicalDisk_0_C_Avg__Disk_Bytes_Read "(?<DRIVE>\w+\_\d\_\w)\_(?<AVDBR>.[^\s]+)" ... View more

If you can provide a sample event we can probably figure this out. ... View more

Hmm.. You could add the additional HEAD* HEAD*_VAL as needed, it will only get populated if there is data. ... View more

This should work | rex "^.[^\<]+\<Header\sname\=\"(?<HEAD1>.[^\"]+)\"\>\n.[^\<]+\<Value\>(?<HEAD1_VAL>.[^\<]+)\<\/Value\>\s.[^\<]+\<\/Header\>\s.[^\<]+\<Header\sname\=\"(?<HEAD2>.[^\"]+)\"\>\s.[^\<]+\<Value\>(?<HEAD2_VAL>.[^\<]+)\<\/Value\>\s.[^\<]+\<\/Header\>\s.[^\<]+\<Header\sname\=\"(?<HEAD3>.[^\"]+)\"\>\s.[^\<]+\<Value\>(?<HEAD3_VAL>.[^\<]+)\<\/Value\>\s.[^\<]+\<\/Header\>\s.[^\<]+\<Header\sname\=\"(?<HEAD4>.[^\"]+)\"\>\s.[^\<]+\<Value\>(?<HEAD4_VAL>.[^\<]+)\<\/Value\>\s.[^\<]+\<\/Header\>\s.[^\<]+\<Header\sname\=\"(?<HEAD5>.[^\"]+)\"\>\s.[^\<]+\<Value\>(?<HEAD5_VAL>.[^\<]+)\<\/Value\>\s.[^\<]+\<\/Header\>\s.[^\<]+\<Header\sname\=\"(?<HEAD6>.[^\"]+)\"\>\s.[^\<]+\<Value\>(?<HEAD6_VAL>.[^\<]+)\<\/Value\>\s.[^\<]+\<\/Header\>\s.[^\<]+\<Header\sname\=\"(?<HEAD7>.[^\>]+)\>\s.[^\<]+\<Value\>(?<HEAD7_VAL>.[^\<]+)\<" | table HEAD1 HEAD1_VAL HEAD2 HEAD2_VAL HEAD3 HEAD3_VAL HEAD4 HEAD4_VAL HEAD5 HEAD5_VAL HEAD6 HEAD6_VAL HEAD7 HEAD7_VAL Let us know if you are looking for something different. ... View more

Never mind, I have something. I should have it completed shortly. ... View more

Is there no other info in the results? It will be easier if we have more at either end of the result. ... View more

See if this will work index=winevents EventCode=4740 | rename "Account Name" as cn | join cn [search index=msad sourcetype=ActiveDirectory] | table _time givenName sn cn Message I'm renaming Account Name to cn so the join will work. ... View more

Thanks. So, in the Lockout Event, the Account Name: abc1234, will that match to either the name, cn, or sAMAccountName? If yes, you can do a join and then a sub query. ... View more

Do you have some example events we can look at? You may need to do a join. ... View more

You will want to do | table DATE TIME PTVL MY CG ... View more

give this a shot: | rex "^msg\:\s(?<DATE>.[^\s]+)\s(?<TIME>.[^\s]+).[^\:]+\:.[^\:]+\:\s(?<PTVL>.[^\s]+)\s(?<MY>.[^\s]+)\s(?<CG>.[^\s]+)" ... View more

This should work: | rex "\<\>\s\:\s(?<NUMBERS>\d+)" Let us know if you need more help. ... View more