Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- About davidcraven02
davidcraven02
Communicator
Member since:
11-29-2017
06-05-2020
Community Statistics
| Posts | 86 |
| Solutions | 0 |
| Karma Given | 31 |
| Karma Received | 3 |
| Member Since | 11-29-2017 |
Activity Feed
- Karma Re: Left JOIN using two searches for harsmarvania57. 06-05-2020 12:49 AM
- Karma Re: Convert timestamp from BST to EDT for renjith_nair. 06-05-2020 12:49 AM
- Karma Re: Check values exist within two columns for micahkemp. 06-05-2020 12:49 AM
- Karma Re: Check values exist within two columns for lguinn2. 06-05-2020 12:49 AM
- Karma Re: Check values exist within two columns for micahkemp. 06-05-2020 12:49 AM
- Karma Re: EVAL for multiple conditions check for 493669. 06-05-2020 12:49 AM
- Karma Re: Regex to extract email domain name for elliotproebstel. 06-05-2020 12:49 AM
- Karma Re: Regex to extract email domain name for BearMormont. 06-05-2020 12:49 AM
- Karma Re: Check to compare value with csv contents for cmerriman. 06-05-2020 12:49 AM
- Karma Re: FULL NULL Values based on certain values for DalJeanis. 06-05-2020 12:49 AM
- Karma Re: FULL NULL Values based on certain values for micahkemp. 06-05-2020 12:49 AM
- Karma Re: Count string value over 7 days for mayurr98. 06-05-2020 12:49 AM
- Karma Re: Count string value over 7 days for maciep. 06-05-2020 12:49 AM
- Karma Re: Count string value over 7 days for somesoni2. 06-05-2020 12:49 AM
- Karma Re: Group results by similar name into one for 493669. 06-05-2020 12:49 AM
- Karma Re: Left JOIN using two searches for harsmarvania57. 06-05-2020 12:49 AM
- Karma Re: EVAL statement not correct for mayurr98. 06-05-2020 12:49 AM
- Karma Re: How to add previous week to line chart for comparison? for p_gurav. 06-05-2020 12:49 AM
- Karma Re: Distinct count of machine names for the last 7 days for richgalloway. 06-05-2020 12:49 AM
- Karma Re: addtotals to calculate percentage for mayurr98. 06-05-2020 12:49 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
03-26-2018
04:28 AM
Thanks for this. I ran this but it is saying fail with the below search. When adding date_wday to the table it has no value.
| tstats count as "Data Received" where index=msexchange host=opspkhf03p source=skypeuk
| eval date_wday=strftime(_time,"%A")
| eval result=if(count> 30 AND date_wday=="Monday", "PASS", "FAIL")
| eval host="opspkhf03p"
| append
[| tstats count as "Data Received" where index=msexchange host=opspkhf03p source=skypeus
| eval date_wday=strftime(_time,"%A")
| eval result=if(count> 200 AND date_wday=="Monday", "PASS", "FAIL")
| eval host="opspkhf03p"]
| table host, "Data Received", result
... View more
03-26-2018
01:21 AM
I would like for it to check if it is Monday and use the below pseudo-code logic
for skypeuk
If dayOfWeek=Monday
check if event count (Data Received) is greater than equals 290 then PASS else FAIL
for skypeus
If dayOfWeek=Monday
check if event count (Data Received) is greater than equals 700 then PASS else FAIL
... View more
03-26-2018
01:13 AM
Each Monday the event count for skypeuk is 30 and skypeus is 200. However, for the rest of the weekday skypeuk is atleast is 290 and skypeus is 700.
How would I build in a new search to the one below to accommodate this low event count on Monday?
| tstats count as "Data Received" where index=msexchange host=opspkhf03p source=skypeuk
| eval result=if('Data Received'> 200, "PASS", "FAIL")
| eval host="opspkhf03p"
| append
[| tstats count as "Data Received" where index=msexchange host=opspkhf03p source=skypeus
| eval result=if('Data Received'> 700, "PASS", "FAIL")
| eval host="opspkhf03p"]
| table host, "Data Received", result
... View more
03-21-2018
09:22 AM
It doesn't work with this example: firstname.surname@test.co.uk
Any thoughts?
... View more
03-21-2018
08:24 AM
I have two regexes below which are pulling the domain name of the email sender (from). i.e linkedin.com, amazones.com.
However I cant create one regex to pull them both in one as they aren't always in the same format.
index=fortimail source=/var/log/messages/splunk/fortimail/*-fortimail.log
| dedup date, time, to, from, domain, subject
| rex field=from "(.*@.*\.(?<domainname>.*\..*)$)"
| rex field=from ".*@(?<domainname2>.*\..*)$"
| table date, time, to, from, domainname, domainname2, subject, message_length
... View more
03-21-2018
05:19 AM
Thank you for this but how would I add a pass or fail to display this?
... View more
03-21-2018
04:22 AM
I'm trying to build a pass/fail check to see if a machine already exists in a csv, as I have a dashboard with a text input where a machine name can be entered.
Below is my search which displays all the machines from the csv, combining them into one line.
... View more
02-28-2018
04:13 AM
I have this below search and would like to add another line to include the week previous showing how it compares with the last 7 days.
index=summary report=otl_engineering_jiracsatresults Key="**" Assignee="**" Classification="**"
| dedup Key
| eval dateEpoch = strptime(Date, "%Y-%m-%d %H:%M")
| eval today = now()
| eval daysAgo = round(((today - dateEpoch)/60/60/24), 0)
| rex field=Date "(?<day>^\d{4}-\d{2}-\d{2}) \d{2}:\d{2}$"
| table Key, Summary, Reporter, Assignee, Classification, "CSAT Rate", "CSAT Rating Comment", Date, daysAgo, day
| search daysAgo <= 7
| stats avg("CSAT Rate") as AverageCustomerRating by day
... View more
02-09-2018
04:38 AM
Thank you so much
... View more
02-09-2018
03:35 AM
Is it possible to have each piece of software as an event of its own so that I could search for a particular item?
Could some cool regex break this up into searchable data?
Desired output in screenshot below
... View more
02-06-2018
04:58 AM
I do use append in this query and the results are in the screenshot as 'Actual Results'. Do you mean when using "| join type=left machine " ?
If so when using this join it works correctly only but it only displays 1,633 results (instead of the correct amount of 1,935) and it excludes those machines that don't have any Path listed from the source=WMI:Shares.
... View more
02-06-2018
04:01 AM
I need the field concate_CSV to list all concatenations for each machine but it is not working. (Actual v Desired output below)
The field con_Splunk contains the concatenation of 'machine' and 'drive' from the table displayed (e.g nas01b,B)
The field concate_CSV contains all the concatenation of 'machine' and 'drive' for each machine from the csv (e.g nas01b,E nas01b,F)
When I use "| join type=left machine " instead of append on the second search with "stats values(concate_CSV) as concate_CSV values(Location) AS Location by machine " it works but it excludes machines that don't have any Path listed on the source=WMI:Shares
index=summary report=otl_engineering_jira_serverrequests Status=Closed "Server Name"=* NOT Project="Server Build" NOT "Decommission Date"=* Project= "Win Admin" NOT "Component/s"= "*Momentum*"
| eval machine = lower('Server Name')
| table machine
| append
[ search index=windows host=*nas* source=WMI:Shares
| eval machine=lower(host)
| eval drive = Path
| rex field=drive "(?P<Drive>\w+)\:"
| eval con_Splunk=machine. "," .Drive
| eval con_splunkUL = upper(con_Splunk) ]
| append
[ search index = varonis source = otl_varonis_monitoring sourcetype="csv"
| rex field=Share "((?<drive>\w+)\$)"
| rex field=machine "^(?<machine>\w+)\."
| eval machine = lower(machine)
| eval con=machine. "," .drive
| eval concate_CSV = upper(con)
| eventstats max(Location) as Location by machine ]
| search
[ search index=ad source=otl_addnsscan name=*nas* type=CNAME NOT ( name=*.options-it.com OR name=*app*)
| rex field=data "^(?<machine>[^.]+).*$"
| eval machine = lower(machine)
| search NOT machine=*app*
| table machine]
| search NOT
[ search index=summary report=otl_engineering_jira_serverrequests Component/s=*Momentum*
| eval machine=lower('Server Name')
| table machine]
| fillnull value="Not in Varonis" Location
| dedup machine, drive
| table machine , drive, Location ,con_Splunk, concate_CSV,
| eval machine = lower(machine)
| sort machine asc
... View more
02-02-2018
07:02 AM
Yes that runs correctly but I found that when I download the raw logs it lists the OS as "Microsoft Windows 7 Entreprise" but in Splunk it displays it as "Microsoft Windows 7 Entreprise".
Perhaps this is why Splunk doesn't recognize them as being the same because of this character.
... View more
02-02-2018
02:21 AM
I appreciate the follow up. Its displaying them as separate in a table and chart format even though they are spelt the same.
Actual Output
Microsoft Windows 7 Enterprise 94 2.19%
Microsoft Windows 7 Enterprise 6 0.14%
Desired Output
Microsoft Windows 7 Enterprise 100 2.33%
... View more
02-02-2018
02:01 AM
Thanks for a follow up. Yes this renames it the incorrect one to 'Microsoft Windows 7 Enterprise' correctly but when displaying in a table or pie chart they are both listed individually with the same name not as one as I intended.
Actual Results
Microsoft Windows 7 Enterprise 94 2.19%
Microsoft Windows 7 Enterprise 6 0.14%
Desired Results
Microsoft Windows 7 Enterprise 100 3.33%
... View more
02-01-2018
05:37 AM
This didnt work unfortunately.
Microsoft Windows 10 Pro
Microsoft Windows 10 Enterprise
Microsoft Windows 10 Enterprise
It doesn't merge the into one row, same issue with the other guys comment.
... View more
02-01-2018
02:25 AM
The name for Windows 7 Enterprise is spelt incorrectly for 6 machines as "Entreprise" and I need to group both these Windows 7 results together into one so the total count becomes 100 for Windows 7 Enterprise and the incorrect spelling is removed from the table.
index=ad source=otl_addnsscan
| eval machine=lower(name)
| rename User_Name0 as LastKnownUser, Caption0 as operatingSystem, Version0 as Version, Model0 as Model
| rename data as IPAddress
| search machine="***" operatingSystem="***" OR NOT operatingSystem="*"
| fillnull value="No OS listed" operatingSystem
| dedup machine
| stats count(machine) as count by operatingSystem
| eventstats sum(count) as total
| eval percentage = ((count/total)*100)
| eval percentage = round(percentage,2)
|eval percentage =percentage ."%"
|table operatingSystem ,count, percentage
|sort operatingSystem
... View more
01-23-2018
01:10 AM
Yes. In a table format it works correct. But I want to display is as a single value i.e 80% which reflects the percentage of a particular OS.
I have tried the below, but it only works if Windows 10 is listed first in this table which make sit not reliable.
`GEN_ProductionWorkstations`
| join type=left machine
[ search index=ad source=otl_addnsscan
| eval machine=lower(name)]
| rename User_Name0 as LastKnownUser, Caption0 as operatingSystem, Version0 as Version, Model0 as Model
| rename data as IPAddress
| search $companyCode$ operatingSystem="*" OR NOT operatingSystem="*"
| fillnull value="No OS listed" operatingSystem
| dedup machine
| stats count(machine) as count by operatingSystem
| eventstats sum(count) as total
| eval percentage = ((count/total)*100)
| eval percentage = round(percentage,2)
|eval percentage =percentage ."%"
|table percentage, operatingSystem , count ,
|sort operatingSystem
| fields- count
... View more
01-22-2018
11:51 PM
Thanks this works! How could this be tweaked to be used as a single value display to show the '% of OS's on Windows 10' for example. When I include the below it calculates it as 100% as the other OS's have been removed from the table.
| search machine="*" operatingSystem="*10*"
Any ideas?
... View more
01-22-2018
07:58 AM
1 Karma
I am trying to calculate what percentage of Operating Systems have windows 10 installed out of the total number which in this example is 174.
I have used a table as the easiest way to try and achieve this but ideally I want to display the final values as a single value. However, any solution would be really useful now.
`GEN_ProductionWorkstations`
| join type=left machine
[ search index=ad source=otl_addnsscan
| eval machine=lower(name)]
| rename User_Name0 as LastKnownUser, Caption0 as operatingSystem, Version0 as Version, Model0 as Model
| rename data as IPAddress
| search machine="*"
| dedup machine
| stats count(machine) by operatingSystem
| addtotals col=t labelfield=totalOSCount label="osCount" fieldname="total"
| fillnull value="Total Client Estate" operatingSystem
| fields- count(machine) Product totalOSCount
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:03 AM
|
