Hello, I have to migrate from an old Splunk standalone instance (version 6.4) to a new one. Is it possible to use in the new instance the same license currently used in the old one in production? Is there anything I need to pay attention to? Thank you in advance! ... View more

Hi, I have different mails in my logs and I need to filter them in order to distinguish real users from technical users. I noticed that real users have an email like name.surname@company.com, so I would like to extract these emails matching "anycharacter.anycharacter@any" because in some case it could be possible to have an email with numbers (ex. name.surname1@company.com). Thank you in advance! ... View more

Hi all, I need to extract some fields for authentication events from different log types, here below some example: LOG1 : AddSenaoLog%Client-6:LINUX_device(00:00:00:00:00:00/1.1.1.1) joins WLAN(WIFI) from MY-WIFI-0000-INT(00:00:00:00:00:00) LOG2 : AddSenaoLog%Client-6:(00:00:00:00:00:00) joins WLAN(WIFI-CITYLIFE) from MY-WIFI-0000-INT(00:00:00:00:00:00) LOG3 %Client-6:LINUX_device(00:00:00:00:00:00/1.1.1.1) joins WLAN(WIFI-OSPITI) from MY-WIFI-0000-INT(00:00:00:00:00:00) LOG4 %Client-6:(00:00:00:00:00:00) joins WLAN(WIFI-OSPITI) from MY-WIFI-0000-INT(00:00:00:00:00:00) As you can see in some case (LOG2 and LOG4) in the first parenthesis I have only the MAC address, in other cases (LOG1 and LOG3) I have both the IP and the MAC address, so I need to extract this two information (or only the MAC if the IP is missig as for LOG2 and LOG4) when I have "joins" in the logs. Thanks in advance! ... View more

Hi All, I have the following saved search: | tstats summariesonly=true fillnull_value="N/D" count from datamodel=Change where NOT [|`change_whitelist_generic`] nodename="All_Changes.Account_Management.Accounts_Updated" AND All_Changes.log_region=* AND All_Changes.log_country=* AND (All_Changes.command=passwd OR All_Changes.result_id IN (4723, 4724)) by All_Changes.log_region, All_Changes.log_country, index, host, All_Changes.Account_Management.src_user, All_Changes.user, _time | `drop_dm_object_name("All_Changes")` | rename Account_Management.src_user as src_user My customer asked to me to exclude results when Account_Management.src_user=user1 and All_Changes.Account_Management.src_nt_domain=All_Changes.Account_Management.dest_nt_domain. So I tried something like that but it seems not working:   | tstats summariesonly=true fillnull_value="N/D" count from datamodel=Change where NOT [| `change_whitelist_generic`] nodename="All_Changes.Account_Management.Accounts_Updated" AND All_Changes.log_region=* AND All_Changes.log_country=* AND (All_Changes.command=passwd OR All_Changes.result_id IN (4723, 4724)) by All_Changes.log_region, All_Changes.log_country, index, host, All_Changes.Account_Management.src_user, All_Changes.user, All_Changes.Account_Management.dest_nt_domain, All_Changes.Account_Management.src_nt_domain, _time | `drop_dm_object_name("All_Changes")` | search NOT (Account_Management.src_user=user1 AND Account_Management.src_nt_domain=Account_Management.dest_nt_domain) | rename Account_Management.src_user as src_user Have you any advice?   Thank you! ... View more

Hi, I have similar authentication logs as below: LOG 1: 03362 auth: ST1-CMDR: User 'my-global\admin' logged in from IP1 to WEB_UI session   LOG2: %%10WEB/4/WEBOPT_LOGIN_SUC(l): admin logged in from IP2   The regex below works only for event LOG2: (?<user>\w+)\slogged\sin\sfrom\s(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})   Probably it doesn't match special characters, any idea to solve that? Thank you in advance!   ... View more

Hi, I'm trying to extract some fields from my Access Point Aruba in order to be CIM compliant. For authentication log I have two kinds of event:   Login failed: cli[5405]: <341004> <WARN> AP:ML_AP01 <................................>  Client 60:f2:62:8c:a8:a7 authenticate fail because RADIUS server authentication failure Login success: stm[5434]: <501093> <NOTI> AP:ML_AP01 <..................................> Auth success: 60:f2:62:8c:a8:a7: AP ...................................ML_AP01   My goal is to extract the mac address after "Client" in the first log and the mac after "Auth success" in the second one in a common field called "src", can someone please help me? Thanks in advance! ... View more

Hi, I have a lookup containing some admin users and I need to add some text like "ADS_" before the username to distinguish them from normal users. I tried: index=myindex tag=authentication | lookup Ads.csv Utenza AS username OUTPUT Gruppo | fillnull value=NULL | eval username=if(Gruppo="NULL",username, ADS_.username) | eval action=if(match(details_message,"opened a Web Portal"),"success",action) | search action=success dest_host!="- -" | stats count by username | sort count desc   what I'm missing?   Thanks in advance! ... View more

Hi, I'm looking for users that login into an application and reset the password at the same time . The logs involved are like this:   Login: 1.1.1.1 - - [31/May/2022:11:15:03 +0200] "POST /servlet/Login HTTP/1.1" 200.....   Pwd Change: 1.1.1.1 - - [31/May/2022:11:15:03 +0200] "GET /PasswordChange/ HTTP/1.1" 200 .......   IP: 1.1.1.1 action : /servlet/Login, /PasswordChange   Ip and action are already extracted, So I need something like if IP1=IP2 and time1=time2 and action1=login and action2=pwdchange.   Thanks in advance!   ... View more

Hi, I have different log types like: <SQL > <TID: 0000000050> <RPC ID: 0002424958> <Queue: List > <Client-RPC: 390620 > <USER: *** > <Overlay-Group: 1 > /* Fri Feb 04 2022 17:47:10.0461 */SELECT * FROM ( SELECT T226.C1,C600000451 FROM T226 WHERE (('CC0000132482648' = T226.C600000451) AND ('7459898' = T226.C600000001)) ORDER BY 1 ASC ) WHERE ROWNUM <= 2 Or <SQL > <TID: 0000000056> <RPC ID: 0002424078> <Queue: Fast > <Client-RPC: 390620 > <USER: *** > <Overlay-Group: 1 > /* Fri Feb 04 2022 17:46:53.9515 */SELECT C999003082 FROM T226 WHERE C1 = 'CC0000272965790' I need to extract the CC* value, for example in this case CC0000132482648 (first log) and CC0000272965790 (second log). Thanks in advance! ... View more

Hi, I have a query like this: index=star eventtype=login-history action=success Username=** | stats count by Username | sort - count | head 10 So in my result I have a list of username with the login count for each one. I know some users are bot, so I want to add a string before the username like BOT_Username, probably with if condition. For example, in my result I have: Alice  10 Bob   8 Carol    7 David   4 Eddie  2 I know Alice and Bob are bot, so I need: BOT_Alice  10 BOT_Bob   8 Carol    7 David   4 Eddie  2 Thanks in advance!   ... View more