Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About munisb
munisb
Explorer
Member since:
06-01-2020
08-26-2021
Community Statistics
| Posts | 13 |
| Solutions | 1 |
| Karma Given | 2 |
| Karma Received | 1 |
| Member Since | 06-01-2020 |
Activity Feed
- Posted List events in csv not found in index on Splunk Search. 08-25-2021 09:48 AM
- Tagged List events in csv not found in index on Splunk Search. 08-25-2021 09:48 AM
- Tagged List events in csv not found in index on Splunk Search. 08-25-2021 09:48 AM
- Posted Re: Search Contains / Like between index and csv file as well as NOT Contains / Like on Splunk Search. 08-17-2021 10:23 AM
- Posted Search Contains / Like between index and csv file as well as NOT Contains / Like on Splunk Search. 08-13-2021 05:35 PM
- Tagged Search Contains / Like between index and csv file as well as NOT Contains / Like on Splunk Search. 08-13-2021 05:35 PM
- Tagged Search Contains / Like between index and csv file as well as NOT Contains / Like on Splunk Search. 08-13-2021 05:35 PM
- Posted Re: Return NOT matching events on Splunk Search. 08-12-2021 07:18 PM
- Posted Return NOT matching events on Splunk Search. 08-12-2021 07:14 PM
- Tagged Return NOT matching events on Splunk Search. 08-12-2021 07:14 PM
- Tagged Return NOT matching events on Splunk Search. 08-12-2021 07:14 PM
- Got Karma for Re: cidrmatch between 2 csv files. 06-17-2021 08:03 PM
- Posted Re: cidrmatch between 2 csv files on Splunk Search. 06-17-2021 05:34 PM
- Karma Re: cidrmatch between 2 csv files for bowesmana. 06-17-2021 05:32 PM
- Posted Re: cidrmatch between 2 csv files on Splunk Search. 06-17-2021 04:13 PM
- Karma Re: cidrmatch between 2 csv files for bowesmana. 06-17-2021 04:09 PM
- Posted cidrmatch between 2 csv files on Splunk Search. 06-16-2021 03:20 PM
- Tagged cidrmatch between 2 csv files on Splunk Search. 06-16-2021 03:20 PM
- Posted Assets Consolidation - Searching and Comparing fields with multiple IP Addresses on Splunk Search. 05-12-2021 10:32 AM
- Posted Re: Trending sum count on Splunk Search. 10-07-2020 06:04 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
08-25-2021
09:48 AM
Hi, I have finally got my search to work that compares data between index and lookup (csv) file that contains assets name and provide output of assets found in the index as well as CSV based off some EVALs index=myindex ASSETS [ | inputlookup linuxhostnames.csv | eval hostname="*".hostname."*" | rename hostname as DNS ]
| dedup DNS
| eval Agent=if(like(TAG, "%NonProd%"), "Yes - NonProd", "No Agent")
| eval Location=if(like(TAG, "%DataCenter%"), "Data Center", "Not in DC")
| where Agent="No Agent"
| table DNS, IP, OS, Location, TAG even if i remove the eval statements - the asset output is less than the total count in the .csv So it's listing ONLY the assets that are found in BOTH csv and index. How can I generate a table that will show assets that are not in the index but are in the CSV? Thank you
... View more
08-17-2021
10:23 AM
@tscroggins Thanks for the feedback. This brought me closer - but still some of the results are not accurate. Ex: If I run with NOT - it is returning 6 assets that have the agent tag (TRACK=Agent) instead on NOT having the "AGENT" and if I remove the TAG - it returns 100s of results. Essentially, showing assets are in the index and NOT in the csv. Whereas, I am trying to see find assets from CSV in the index that does not have the field TRACK=AGENT (field in the index) Hopefully, this makes more sense.
... View more
08-13-2021
05:35 PM
Hi, I am trying to figure this out - I have a data set that I need to compare the DNS values. The index data contains values like: hostname1 hostname2.domian.com hostname3.domain Whereas the csv file may also contain: hostname2 hostname1.domain.com hostname3.domain I can use JOIN to find values that MATCH exactly; however what I am looking for is "*indexdomain* = "*csvdomain*" After finding the matches, then in another table display the NOT match results This is what I have so far - but all of the different variation are returning odd number of hits: | inputlookup linuxhostnames.csv | rename hostname as DNS | [search index=dnsdata| stats count by DNS | table DNS] index=dnsdata SUMMARY TRACK=AGENT | dedup DNS | search [ | inputlookup linuxhostnames.csv | rename hostname as DNS]| eval result=if(like(hostname,"%".DNS."%"),"Contained","Not Contained") | table DNS, result Worse case scenario - I can modify the .csv file and exclude the domain.com and just leave the hostname - but still have a Contains / Like search in index is what I can't seem to figure out. Will appreciate any guidance. Thanks
... View more
08-12-2021
07:18 PM
I don't get it why this works but it does: | inputlookup linuxhostnames.csv | rename hostname as DNS | search [search index=myindex| fields DNS | format ] Now, I only get results that DO NOT MATCH. However, the search is slow. Would there be a faster way to do this?
... View more
08-12-2021
07:14 PM
Hi, I am trying to return values that DO NOT MATCH the search between an index and .csv file Ex - this returns the values that are good but i don't want to see these: index=myindex TAGGING="*Agent*" | dedup DNS | join type=inner DNS [ | inputlookup linuxhostnames.csv | rename hostname as DNS] whereas, I tried the following - this takes slightly longer to return the results but also returns only the matching values instead of the NOT MATCHING | inputlookup linuxhostnames.csv | rename hostname as DNS | search NOT [search index=myindex| fields DNS | format ] Will appreciate some guidance here. Thank you
... View more
06-17-2021
05:34 PM
1 Karma
sounds like a plan - Thx. Will give the wildcard suggestion a try. Otherwise, those who stumble upon this post can also try Excel Power Query to split a row into multiple rows Excel: Split Delimited Data into New Rows - Strategic Finance (sfmagazine.com)
... View more
06-17-2021
04:13 PM
That did the trick Thank you. One follow up question in my test1.csv some of the cells have multiple IP addresses if a host has multiple NICs. Example: 1.1.1.1, 2.2.2.2 3.3.3.3, 4.4.4.4, 5.5.5.5 I tried with "*IP*" and *IP* - however that doesn't return any results for zone.
... View more
06-16-2021
03:20 PM
Hi, I have two csv files where I am trying to cidrmatch between ip and subnet - but it doesn't appear to be working test1.csv host ip
abc 192.168.1.1
def 192.168.2.2
xyz 192.168.3.3 test2.csv zone subnet
dmz 192.168.1.1
internet 192.168.2.0/24
management 192.168.1.0/24 SPL (returns blank) | inputlookup test1.csv | lookup test2.csv subnet | where cidrmatch("192.168.1.0/24", ip) | table host ip subnet zone whereas if I run the following - I get a match (the zone & subnet fields are blank) | inputlookup test1.csv | lookup test2.csv subnet | where cidrmatch("192.168.1.0/24", ip) | table host ip subnet zone will appreciate some guidance. Thank you
... View more
- Tags:
- cidrmatch
Labels
- Labels:
-
lookup
05-12-2021
10:32 AM
Hi, I have this query where I am trying to compare two csv files and have the assets data merged CSV1 host ip os abc.domain.com 1.1.1.1 Windows def 2.2.2.3 suse xyz 3.3.3.3 aix CSV2 Name IP Addresses Description OS abc 1.1.1.1 blah blah windows abc.domain.com 1.1.1.1, 2.2.2.1 blah blah windows bcd 1.1.1.2, 2.2.2.2 blah blah windows def.domain.com 1.1.1.3, 2.2.2.3 blah blah suse xyz blah blah aix | inputlookup CSV1.csv | lookup CSV2.csv "IP Addresses" as ip | table Name, host, ip, OS, os | fillnull Name value="Not Found" With this query - for some reason i am not able to correlate assets that have multiple "IP Addresses" in CSV2. How can I ensure that any value in the cell is searched instead of having an exact match? Thank you
... View more
10-07-2020
06:04 PM
Thank you. Close however the numbers aren't adding up. So for instance: if run stats sum - the total count comes to over 2000. This is the sum of the values in VALUE_NUM. There are multiple events that has VALUE_NUM with the value greater than 0. whereas with Timechart - it comes to about 300 (missing 1700) These events are usually populated during the weekends and some (small amount of events) come during the day. So the sum of VALUE_NUM over 7 days = 2000; and comparing it to the past 7 days of the sum would be ideal. ex: Sum of Week1=2500 Sum of Week2=1800 Sum of Week3=2000 So trendline for Week3 would show an uptick of 200 and the count as 2000
... View more
10-07-2020
04:15 PM
Hi, I am trying to create a trending single value however having trouble setting it up. Essentially the stats below sums up VALUE_NUM and works as expected however i would like to compare this to 7d period or with the same previous_value of the time-picker index=main VALUE_NUM>0 | dedup UUID | stats sum(VALUE_NUM) I have tried index=main VALUE_NUM>0 | dedup UUID | timechart count as sum(VALUE_NUM) span=7d however this isn't returning the correct value TIA
... View more
06-02-2020
07:48 PM
Thank you.
that worked
... View more
06-01-2020
05:06 PM
Hi,
I am trying to get the top 10 table from Index-A to have corresponding asset information from Index-B as additional columns.
Hostnames field in index-A is called: HostxA
Hostnames field in index-B is called: HostxB
There are some duplicate entries in both.
Currently my search is able to find top 10 from Index-A and remove the dedups based on IP addresses
however, I am having difficulty using the "HostxA" field "DNS" as an input to find correlating data in index-B
index="indexA" HOSTSUMMARY OS="Windows Server*" | dedup IP | sort -Errors_5 | head 10 | table DNS, IP, Errors_5, Errors_4, Errors_3, Total_Errors
second table:
index="indexB" Hostname=DNS | table Asset-ID, Asset-Tag
Resulting table DNS, IP, Errors_5, Errors_4, Errors_3, Total_Errors, Asset-ID, Asset-Tag
Will appreciate some guidance.
Thanks
... View more
Labels
- Labels:
-
fields
