Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About cbr654
cbr654
Path Finder
Member since:
01-09-2014
03-13-2023
Community Statistics
| Posts | 16 |
| Solutions | 0 |
| Karma Given | 6 |
| Karma Received | 2 |
| Member Since | 01-09-2014 |
Activity Feed
- Posted Re: How to detect T1036.002: Masquerading (Right-to-Left Override)? on Splunk Search. 03-13-2023 07:15 AM
- Posted Re: How to detect T1036.002: Masquerading (Right-to-Left Override)? on Splunk Search. 03-13-2023 06:42 AM
- Posted Re: How to detect T1036.002: Masquerading (Right-to-Left Override)? on Splunk Search. 02-28-2023 07:58 AM
- Karma Re: Is it possible to add a default value for a lookup without match? for sundareshr. 03-24-2022 09:52 AM
- Karma Re: Why is splunk field not populated with value from a lookup file? for richgalloway. 03-23-2022 06:01 PM
- Posted Re: Why is splunk field not populated with value from a lookup file? on Knowledge Management. 03-23-2022 06:00 PM
- Tagged Re: Why is splunk field not populated with value from a lookup file? on Knowledge Management. 03-23-2022 06:00 PM
- Posted Why is splunk field not populated with value from a lookup file? on Knowledge Management. 03-23-2022 03:11 PM
- Posted Re: relative time question on Splunk Search. 10-17-2021 03:46 AM
- Karma Re: relative time question for richgalloway. 10-17-2021 03:44 AM
- Posted relative time question on Splunk Search. 10-15-2021 12:48 PM
- Karma Re: Pie chart to display upgrade adoption of our new app version based on fields for DalJeanis. 06-05-2020 12:49 AM
- Karma Re: Pie chart to display upgrade adoption of our new app version based on fields for kmorris_splunk. 06-05-2020 12:49 AM
- Got Karma for How can I filter my results to compare values in two fields?. 06-05-2020 12:48 AM
- Karma Re: How to create a 30 day search for specific time range (21:00 - 06:00) where the time carries over into the next day? for aweitzman. 06-05-2020 12:47 AM
- Got Karma for How to create a 30 day search for specific time range (21:00 - 06:00) where the time carries over into the next day?. 06-05-2020 12:47 AM
- Posted Pie chart to display upgrade adoption of our new app version based on fields on Dashboards & Visualizations. 08-17-2017 02:16 PM
- Tagged Pie chart to display upgrade adoption of our new app version based on fields on Dashboards & Visualizations. 08-17-2017 02:16 PM
- Tagged Pie chart to display upgrade adoption of our new app version based on fields on Dashboards & Visualizations. 08-17-2017 02:16 PM
- Tagged Pie chart to display upgrade adoption of our new app version based on fields on Dashboards & Visualizations. 08-17-2017 02:16 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 1 | |||
| 0 |
03-13-2023
07:15 AM
Not joking . I was going about this the hard way and wasted so much time , but this worked index=sysmon <U+202E> ( This is invisible . You will not see it when you paste it in Splunk) | stats .. ( your query) In sysmon the CommandLine and Targetfilename is were you would see the RTLO operation
... View more
03-13-2023
06:42 AM
Hey jrock, I figured it out. Copy and past the invisible character (U+202E) from the character map into Splunk. You will not see it, but it this there. Put the rest of your query afterwards.
... View more
02-28-2023
07:58 AM
Hey jrock, were you able to figure this out. i am looking for a solution as well. Thanks!
... View more
03-23-2022
06:00 PM
I have the lookup file populated with metadata in all the fields. When "values_Image" is not found in the lookup I was hoping to see the entry I have in "Images" in the lookup file even though it does not match. My goals was to view the mis-match when match is set to "no" Is this possible? Thanks you
... View more
- Tags:
- lookup
03-23-2022
03:11 PM
(1) index=blah Product IN (Cuteftp,Filezilla) (2) | rex field=Image "(?<values_Image>[^\\\\]+$)" (3) | lookup test.csv Image as values_Image OUTPUT Image (4) | eval match=if(values_Image == Image, "yes", "no") | table _time Product Company Description ImageLoaded Image values_Image match (1) I am searching index=blah where "Product" = Cuteftp or Filezilla (2) From my results I am removing everything before the last backslash, and the new field is going to be called "values_Image" (3) I am checking the "Image" column in the lookup file (test.csv) to see if it matches "values_Image" from my Splunk results (4) If there is a match, then I see "yes" in the match column in Splunk. If there is no match I see a "no" The problem I have: When match =yes the Image field in Splunk is populated with the value from the Image field in the lookup file (test.csv) . This is good When match=no the Image field in Splunk is not populated with the value from the the Image field in the lookup file (test.csv) . This is my problem
... View more
Labels
- Labels:
-
lookup
10-17-2021
03:46 AM
thank you very much Rich. You explained it in a way that makes send to me
... View more
10-15-2021
12:48 PM
Hello, There is a tube Splunk video on finding new service interactive logins here: https://www.youtube.com/watch?v=bgIG2um_Hd0 The following line I just need a better understanding. | eval isOutlier=if (earliest >= relative_time(now), "-1d@d"), 1, 0) I understand this much. It is an outlier (1) if : The earliest time of the first event is greater or equal to the time you ran the search "-1d@d" -->I am not understanding this part? Is it going back 1 day to find other matches that are also >= relative time (now)? You would only get an Outlier if the times are the same . If you go back "1d@d" the earliest time of an event 1 day ago will never be equal to the the time you ran the event which is the relative _time(now). How are the matches made when your going back 1d@d? I know I am thinking about this the wrong way. any assistance in understanding the logic would be greatly appreciated.
... View more
Labels
- Labels:
-
other
08-17-2017
02:16 PM
Hello,
I am trying to track a a version upgrade rollout of an application in our environment. I would like to see a pie graph showing percentage of the old version verses the new version. The index and sourcetype are the same ( index=fee sourcetype=events). However, the versions of the upgrade are in 2 different fields ( AgentVersionold=9.3 AgentVersionnew=10.0) . How can get this info a pie graph? Thanks
... View more
11-01-2016
09:18 AM
1 Karma
I have 2 fields called sc_bytes & cs_bytes in my results. How can I then filter my results to give me events when the value for cs_bytes is greater than the value for sc_bytes? Much thanks.
... View more
10-21-2015
01:54 PM
Hello,
I ready thru some documentation, but I need a nudge in the right direction. I have an index that has information on when a user is IN or OUT of the office. I would like to be alerted when someone logs into their workstation when the are OUT of the office. My Windows security logs are in a different index than my logs that contain IN/OUT status. I am a bit confused on if I should begin with "transaction" or subsearches. Any help will be appreciated. Thanks
... View more
04-28-2015
01:14 PM
1 Karma
This is what I have so far for my search:
index=logs sourcetype=Jobs earliest=-31d latest=-1d | where strftime(_time,"%H")>"20" AND strftime(_time,"%H")<"6"
For example I am only getting results starting at:
2015-03-28 21:00:10
.
.
2015-03-28 23:59:58
2015-03-29 21:00:20 <--I am expecting the time to start from 00:00 and get events thru 06:00
2015-03-29 21:01:12
My goal to get events for the past 30 days between the times of 9pm and 6am the next day.
Thanks
... View more
04-24-2015
07:58 AM
much thanks for assisting Rich. I am pretty amatuer with Splunk now. Yes, it was originally configured with fix start/end and i thought the cron setup will implement the date change, but I see cron is only for setting up when the report is supposed to run. I will setup the relative time in the **Advance->Earliest/Latest section? Let me see if I can get my head around setting up relative time before asking you the another question:) appreciate your help.
... View more
04-24-2015
07:02 AM
Time range
Start time
1429650000
Finish time
1429682400
Cron schedule
0 8 * * 2-5
Thanks
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
03-13-2023
10:35 AM
|
Karma given to
