Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About jeradb
jeradb
Explorer
Member since:
01-26-2024
03-14-2024
Community Statistics
| Posts | 14 |
| Solutions | 0 |
| Karma Given | 4 |
| Karma Received | 0 |
| Member Since | 01-26-2024 |
Activity Feed
- Karma Re: How do I set a token to an html search string for ITWhisperer. 03-14-2024 07:23 AM
- Karma Re: Use eval command to extract from message for gcusello. 03-14-2024 06:52 AM
- Posted How do I set a token to an html search string on Splunk Search. 03-14-2024 06:51 AM
- Posted How do I modify my rex command to remove directory location from path? on Getting Data In. 03-05-2024 12:14 PM
- Posted Use eval command to extract from message on Splunk Search. 02-29-2024 05:49 AM
- Posted Re: EventCode Subsearch on Splunk Search. 02-22-2024 12:41 PM
- Posted EventCode Subsearch on Splunk Search. 02-22-2024 08:27 AM
- Posted Data model - eval expression on Splunk Search. 02-15-2024 12:28 PM
- Posted Re: Nested inputlookup with join or eval on Splunk Search. 02-01-2024 09:12 AM
- Posted Nested inputlookup with join or eval on Splunk Search. 02-01-2024 08:34 AM
- Karma Re: How do I do a search on an inputlookup from data loaded from datamodel for gcusello. 01-30-2024 06:19 AM
- Posted How do I do a search on an inputlookup from data loaded from datamodel on Splunk Search. 01-30-2024 05:33 AM
- Karma Re: tstats and inputlookup for richgalloway. 01-26-2024 11:13 AM
- Posted tstats and inputlookup on Splunk Search. 01-26-2024 10:33 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
03-14-2024
06:51 AM
<row>
<panel depends="$tok_tab_1$">
<table>
<title>Alerts Fired</title>
<search>
<query> index=_audit action=alert_fired
| rename ss_name AS Alert
| stats latest(_time) AS "Event_Time" sparkline AS "Alerts Per Day" count AS "Times Fired"
first(sid) AS sid by Alert
| eval Event_Time=strftime(Event_Time,"%m/%d/%y %I:%M:%S %P")
| rename Event_Time AS "Last Fired"
| sort -"Times Fired"
</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
</search>
<fields>Alert, "Last Fired", "Times Fired", "Alerts Per Day"</fields>
<option name="count">10</option>
<option name="dataOverlayMode">heatmap</option>
<option name="drilldown">cell</option>
<option name="rowNumbers">false</option>
<option name="wrap">true</option>
<drilldown>
<set token="sid">$row.sid$</set>
<unset token="tok_tab_1"></unset>
<set token="tok_tab_2">active</set>
<set token="tok_display_dd"></set>
<set token="Alert">$row.Alert$</set>
<link target="_blank">search?sid=$row.sid$</link>
</drilldown>
</table>
</panel>
</row>
<row>
<panel depends="$tok_tab_2$">
<table>
<title>$Alert$</title>
<search>
<query>| search?sid=$sid$</query>
<earliest>$earliest$</earliest>
<latest>$latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row> In the code above the below line works correctly opening a new search tab with the Alert search query. <link target="_blank">search?sid=$row.sid$</link> I would like to know how to have this same functionality, but within a token so I can keep it on the same page within another table.
... View more
03-05-2024
12:14 PM
Here is my current rex command - EventCode=1004
| rex field=_raw "Files: (?<Media_Source>.+?\.txt)"
| table Media_Source My source data looks like this - Files: C:\ProgramData\Roxio Log Files\Test.test_user_20240305122549.txt SHA1: 73b710056457bd9bda5fee22bb2a2ada8aa9f3e0 My current rex result is - C:\ProgramData\Roxio Log Files\Test.test_user_20240305122549.txt How do I make it - Test.test_user_20240305122549.txt Im trying to drop - C:\ProgramData\Roxio Log Files\
... View more
02-29-2024
05:49 AM
LogName=Application
EventCode=1004
EventType=4
ComputerName=Test.local
User=NOT_TRANSLATED
Sid=S-1-5-21-2704069758-3089908202-2921546158-1104
SidType=0
SourceName=RoxioBurn
Type=Information
RecordNumber=16834
Keywords=Classic
TaskCategory=Optical Disc
OpCode=Info
Message=Date: Wed Feb 28 14:22:59 2024
Computer Name: COM-HV01
User Name: Test\test.user
Writing is completed on drive (E:). Project includes 0 folder(s) and 1 file(s).
Volume Label: 2024-02-28
Volume SN: 0
Volume ID: \??\Volume{b282bf1c-3dde-11ed-b48e-806e6f6e6963}
Type: Unknown
Status Of Media: Appendable,Blank,Closed session
Files: C:\ProgramData\Roxio Log Files\Test.test.user_20240228142142.txt SHA1: 7c347a6724dcd243d396f9bb5e560142f26b8aa4
File System: None
Disc Number: 1
Encryption: Yes
User Password: Yes
Spanned Set: No
Data Size On Disc Set: 511 Bytes
Network Volume: No How would I write an eval command to extract User Name: without domain, Status of Media, Data size on disc set, and files from the field Message?
... View more
Labels
- Labels:
-
eval
02-22-2024
12:41 PM
@yuanliu Is there a way to say if EventCode=70 look upstream for EventCode=250 and join User? I am only trying to capture who created the event.
... View more
02-22-2024
08:27 AM
I have an application that I am trying to monitor. There is a specific event code for when the tool is opened to modify the tool (EventCode=250). There is an EventCode for when it is closed (EventCode=100). These two codes display a user name, but the events between them do not. How can I write a search to look for these two events then display the changes between them with the username who completed the change? | from datamodel:P3 | search EventCode=250 OR 100 OR 70 OR 80
| eval user = coalesce(User, Active_User)
| eval Event_Time=strftime(_time,"%m/%d/%y %I:%M:%S %P")
| table Event_Time, host,user,Device_Added,Device_SN,Device_ID,EventCode, EventDescription Event_Time host user Device_Added Device_SN Device_ID EventCode 02/22/24 08:49:44 am Test-Com xxxxx 100 02/21/24 03:59:12 pm Test-Com xxxxx 250 02/21/24 03:56:08 pm Test-Com xxxxx 100 02/21/24 03:56:00 pm Test-Com USB 1 12345 PID_1 70 02/21/24 03:56:00 pm Test-Com USB 2 6789 PID_2 70 02/21/24 03:51:10 pm Test-Com USB 1 12345 PID_1 80 02/21/24 03:50:44 pm Test-Com xxxxx 250
... View more
02-15-2024
12:28 PM
I can run the below command in a search successfully - | eval message=replace(Message, "^Installation Successful: Windows successfully installed the following update: ", "") How can I convert this to work in a data model? Below is my base search sample result. Message=Installation Successful: Windows successfully installed the following update: Security Intelligence Update for Microsoft Defender Antivirus - KB2267602 (Version 1.405.28.0) - Current Channel (Broad) In my data model I would like to use eval expression on the field message and take off - Installation Successful: Windows successfully installed the following update: Desired results - Message= Security Intelligence Update for Microsoft Defender Antivirus - KB2267602 (Version 1.405.28.0) - Current Channel (Broad)
... View more
Labels
- Labels:
-
field extraction
-
rex
02-01-2024
09:12 AM
My data model is searching for all windows logins. index=* EventCode=4624 OR (EventCode=4625 OR ((EventCode=4768 OR EventCode=4771 OR EventCode=4776) status="failure")) NOT (user=*$) NOT (user=system) NOT (user=*-*) with this search i get a field called dest_nt_domain. This field will have results as - Test Test.local other My above search has the rex command to remove everything after the period. I finally have a kvlookup called Domain with a field of name. It contains one value - Test. Im wanting to evaluate the above data vs the one value in my kvlookup.
... View more
02-01-2024
08:34 AM
My current search that is working is - | from datamodel:Remote_Access_Authentication
| rex field=dest_nt_domain "^(?<dest_nt_domain>[^\.]+)"
| join dest_nt_domain [|inputlookup Domain | rename name AS dest_nt_domain | fields dest_nt_domain]
| table dest_nt_domain My problem is that this search only returns values that match. How can I change this to an evaluation? If the two items match "Domain Accout" if != "Non Domain Account" My input lookup only contains one item.
... View more
01-30-2024
05:33 AM
My current serach is - | from datamodel:Remote_Access_Authentication.local
| append [| inputlookup Domain | rename name as company_domain]
| dest_nt_domain How do I get the search to only list items in my table where | search dest_nt_domain=company_domain? Is there another command other than append that I can use with inputlookup? I do not need to add it to the list. Just trying to get the data in to compare against the datamodel.
... View more
01-26-2024
10:33 AM
My current search is - | tstats count AS event_count WHERE index=* BY host, _time span=1h | append [ | inputlookup Domain_Computers | fields cn, operatingSystem, operatingSystemVersion | eval host = coalesce(host, cn)] | fillnull value="0" total_events | stats sparkline(sum(event_count)) AS event_count_sparkline sum(event_count) AS total_events BY host How do I get operatingSystem to display in my table? When I add it to the end of my search BY host, operatingSystem my stats break in the table.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
03-14-2024
11:27 AM
|
