Calculate difference between 2 timestamps in days?
i 'm trying to calculate the difference between two timestamps in number of days. here is my query base_search | eval intime = strptime(minTime, "%Y-%m-%dT%H:%M:%S") | eval outtime = strptime(maxTime,...
View ArticleMissing events? JSON payload and indexed_extractions
We have events where the JSON payload has 100s of fields. When I table a field, we can see entries for some events but not others. However, if I `spath` the field beforehand, I then can discover it. We...
View ArticleError in 'eval' command: The expression is malformed. Expected
Hi ALL, need help for a using case here. we are trying to setup alert based on below data value1 ( the average of past 7days since yesterday) value2 ( the average of yesterday's day) if value2 is lower...
View ArticleEncrypted Sendmail?
I dont see a cut and dry answer on whether or not the Splunk Sendmail does encrypted email via PKI or any other mechanisms. I see that the alert_actions has TLS and SSL for secure comms to the relay...
View Articlehow to create a report for VPN user sessions including username, source ip,...
We have a customer who had CISCO firewall but got it replaced by Sonicwall, now the VPN user session reports are not generating correctly...what needs to be checked please share details
View ArticleI would like to create a pie chart based on "keywords" found in a field.
index=timswindows sourcetype=ActiveDirectory [search index=timswindows sourcetype=WinEventLog EventCode=4624 Account_Name!="-" | dedup Account_Name | stats values(Account_Name) as sAMAccountName] |...
View ArticleConsistently receiving connection timed out for a website which has been...
Hi, I'm getting a lot of connection timed out for a website which has been configured for monitoring. the connection timed out has a blank response code. I'm a bit confused does the connection timed...
View ArticleHelp with creating field extractions for map
Can you help map creating field extractions Please use the ES CIM model where possible for field names: There are some variations in the log files so I included these two that we’re looking at:...
View ArticleHow to create a report for VPN user sessions including username, source ip,...
We have a customer who had CISCO firewall but got it replaced by Sonicwall, now the VPN user session reports are not generating correctly. What needs to be checked? Please share details.
View ArticleHow to create a pie chart based on "keywords" found in a field?
index=timswindows sourcetype=ActiveDirectory [search index=timswindows sourcetype=WinEventLog EventCode=4624 Account_Name!="-" | dedup Account_Name | stats values(Account_Name) as sAMAccountName] |...
View Articlehelp on mvcount to get the accurat count of a keyword by source
i have logs that has a keyword "*CLP" reapeated multiple times in each event . i am trying the get the total counts of CLP in each event. here is the query i am using. Problem i am facing is this query...
View Articlefind vlaues that are not in a summary index
Good day, I have sysmon information collected in an index called sysmon. I also have created a summary index "HASh256" of all hashes that are known to be good. I'd like to write a query that shows me...
View ArticleExtract fields from array of data and find best performing currency.
SSP Request: { "disableAMLFlag" = "false"; "orderAttributes" = { "OrderAttributes" = { "requestPostalIndicator" = "X"; "soldToParty" = "76"; "shipCompleteIndicator" = "false";...
View ArticleHow to set time zone dynamically based on host name?
I've got 95% of this new input working, but was hoping to also configure the TZ (dynamically) based on the host name value. Would like to set the correct time zone based on the hostname starting with...
View ArticleHow to find values that are not in a summary index
Good day, I have sysmon information collected in an index called sysmon. I also have created a summary index "HASh256" of all hashes that are known to be good. I'd like to write a search that shows me...
View ArticleHow to break 2 lines of JSON as one event?
Hi, Currently I am having hard times to break these 2 JSON lines. They are being read by splunk as one event. This happens for some type of events (being treated as one) {"timestamp":"2019-09-05...
View ArticleSearch Lookup Error can locate resources vader_lexicon
I have installed NLP Text Analytics and the other supporting apps. The app is working fine on an identical search head but not this new search head. The only difference is that the new search head...
View ArticleAre there any docs about SHC upgrading path.
Hello, I would like to know the upgrading order about SHC and IDX. I saw the following doc and answer. https://docs.splunk.com/Documentation/Splunk/7.3.1/DistSearch/UpgradeaSHC...
View ArticleUser Feedback to an alert by replying to the Alert Email
Hi, I am trying to control the Email Alerts that are generated by splunk. So once if a KPI's transaction failure is above the threshold and Alert is generated. Is there a way, that a User reply's to...
View ArticleAlert throttle only when the Transaction failure is below from first Alert
Hi, Is there a way if an alert is generated with a transaction failure above threshold. and it should only throttle if the next alert result is less than the first transaction failures. if the next...
View Article