cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
splunkxorsplunk
Explorer
Member since: ‎12-18-2021
‎02-20-2023
Community Statistics
Posts 11
Solutions 1
Karma Given 7
Karma Received 2
Member Since ‎12-18-2021
Activity Feed
View All

Re: After saving a lookup file with outputcsv, how...

by in Splunk Enterprise Security
‎02-19-2023 07:49 PM
‎02-19-2023 07:49 PM
Thanks for the solution!  ... View more

After saving a lookup file with outputcsv, how to ...

by in Splunk Enterprise Security
‎02-17-2023 05:58 PM
‎02-17-2023 05:58 PM
index=my_index [search is here]  | outputcsv mycsv.csv After saving the search results into mycsv.csv file,  can I access the file via search head? | inputlookup mycsv.csv   -- is not working      ... View more
Labels

Re: How to use OR operator between subsearch and f...

by in Splunk Search
‎10-28-2022 08:36 PM
1 Karma
‎10-28-2022 08:36 PM
1 Karma
It worked! Thanks Johnhuang! ... View more

Re: OR operator between subsearch and fields

by in Splunk Search
‎10-28-2022 05:20 PM
‎10-28-2022 05:20 PM
Thanks for quick reply! but it didn't work ... View more

How to use OR operator between subsearch and field...

by in Splunk Search
‎10-28-2022 04:49 PM
‎10-28-2022 04:49 PM
Hey Splunkers,   I have the following search but it is not working as expected. What I am trying to achieve is if one of the conditions matches I will table out some fields. condition 1 : if user_action="Update*" OR  Condition 2:  within each 5 min bucket, if any user has access more than 400 destination in the same index, index1 but it doesn't work. How can I check both condition on the same search?  Thanks in advanced!     index=index1 ``` condition 1 ``` ( user_action="Update*" ) OR ``` condition 2 ``` ( [search index=index1 NOT user IN ("system*", "nobody*") | bin _time span=5m | stats values(dest) count by _time, user | where count > 400 ] ) | table _time, user, dest       ... View more
Labels

Re: Only return subsearch results which are not av...

by in Splunk Search
‎07-29-2022 02:28 PM
‎07-29-2022 02:28 PM
Thanks for solution recommendations! My initial pivot point should be index2 since index1 includes all files and actors. if a user and associated file is available in index2 but not index1, that is what I am looking for.  ... View more

Re: Why do stats and tstats give different set of ...

by in Splunk Search
‎07-29-2022 01:32 PM
1 Karma
‎07-29-2022 01:32 PM
1 Karma
Probably some of the data is not being indexed properly. Please check this out https://community.splunk.com/t5/Splunk-Search/What-is-wrong-with-my-tstats-command/m-p/593165/highlight/true#M206459 ... View more

How to only return subsearch results which are not...

by in Splunk Search
‎07-29-2022 01:14 PM
‎07-29-2022 01:14 PM
I have two indexes which include same data in a different fields as seen below.  index1 -- user, fileName, ...etc index2 -- event.file, actor user = actor and fileName = event.file The following search gives me if a user and their file in index2 is available in the index1, but I dont need this since I know they should be included in index1 What I am trying to find is : If a user and their file in index2 is NOT available in the index1, I wanna list them out.  Thanks for help index="index1" [search index="index2" "event"=event2 event.file="something_*" | table event.file, actor | rename event.file as fileName, actor as user ] | table actor ... View more
Labels

Re: Two condition match - sequential number pid an...

by in Splunk Search
‎12-20-2021 09:43 AM
‎12-20-2021 09:43 AM
Thanks @ITWhisperer This is what I was exactly looking for, well done. appreciate your help! Best, ... View more

Re: Two condition match - sequential number pid an...

by in Splunk Search
‎12-19-2021 11:09 PM
‎12-19-2021 11:09 PM
Hey @ITWhisperer  Thank you so much for spending time and providing this solution.  It gives me the following output However, I need following matches out of the data set.  logic here is : 1. under the same ppid, (curl OR wget ) and ( bash OR sh ) should be available 2. If #1(above) is true, ((pid _of_curl + 1) OR (pid_of_wget + 1 )) = ( pid_of_sh OR pid_of_bash) time - ppid - pid - exe 1. time2 - 981804 - 991885, 991885 - curl, bash 2. time2 -981804 - 991940, 991940 - curl, sh Thanks again. ... View more

Two condition match - sequential number pid and ce...

by in Splunk Search
‎12-18-2021 11:45 PM
‎12-18-2021 11:45 PM
Hi, Need help to get following results from the search.  all helps will be appreciated.  On the image below, same colors show match cases I would like to get out of my search. Here is the condition I am looking for: Under the same pid which is all same already on image below.  example -1 ( green on the image) : pid_of_curl = 990820 pid_of_sh = 990821 If exe = curl and ( pid_of_curl + 1 ) has exe = sh exe is curl and  990820 + 1 = 990821 = pid in which exe = sh if exe is either "curl" or "wget" and its pid +1 is equal to ( bash or sh ) pid ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎02-20-2023 02:46 AM
Karma from
View All