How to exclude fields with alphanumeric characters and rfc1918 addresses
I am trying to do a query on traffic excluding RFC 1918 addresses. The problem is the raw data has CheckPoint "object names" rather than IP addresses in the "dst" field. So the raw data field might...
View ArticleRegex help! Want to start after the \ and collect the user name that follows
I want to start after the \ and collect the user name but the user name is in delimited format (.) field name = UserName example of a field value BDDLOX3855\john.doe Would it be possible to replace the...
View ArticleUse of _indextime field in table or stats command
Hi All How can I use _indextime field in table or stats command without renaming or converting it. Not working Ex: * | table host source sourcetype _time _indextime _raw Its working if I rename the...
View ArticleSplunk DB Connect: very little data being indexed
Hi, I do see thousands of records being read by my query in the log file, splunk_app_db_connect_job_metrics.log. I use a rising column (AutoID in this case for McAfee ePO database). I have a custom...
View ArticleSource and Soursetype
Source - The source of an event is the name of the file, stream, or other input from which the event originates 1) Which are the sources of the event?Simulate me some real situations. Sourcetype - The...
View ArticleParsing logs from UDP input
I installed addon for my product but the problem is that the addon is intended to collect data from the file, and not from receiving at udp 514 port. How should I reconfigure conf files to make it work?
View ArticleBest way to manage extra field from raw log
I imported some custom log for file auditing. each log message is very long, it has 7 type of messages. To normalize /extra useful field from the raw log, I wrote 7 separate regex to fully extra every...
View ArticleHow can we get total number of users accessing the search head clusters from...
We have created a search head cluster where we have 3 instance which are in cluster we are looking to get the number of users accessing the apps and get there count from one instance.
View ArticleUsing results from a Loadjob and data from an index in the same SPL Query.
Hi all, I am trying to use the results from a loadjob but to link these to data thats held in an index. I can define the loadjob entry but I cannot appear to include the index & source in the same...
View ArticleDB Connect Checkpoint Set To Null
I am trying to collect SQL Trace logs using Splunk DB Connect 3.1.1. I am currently using the Splunk Add-On for Microsoft SQL Server's mssql:trclog template for the query. I am currently using...
View ArticleReturn '0' when no results found in a table with the corresponding source
Hi Folks, I want to produce a count of events in each of my indexes. Where there isn't any data for the time range I specify in my search, I want to return 0 next to the corresponding index. So far...
View ArticleBase64 decord in search can not display traditional Chinese
Hi I use Base64 app to decode our encode string. I can get the number character, but can't get the traditional Chinese character. Any idea about that?
View ArticleHo can I calculate column differences when column names are unknown?
My datasource is a json structure which will include the following on each record: { "metrics": [ {"name":"MetricName1", "value":"1", "units": "s"}, {"name":"MetricName2", "value":"1", "units": "s"},...
View ArticleChange the color of rows in a table based on text value in Splunk 6.4 version
My Table is as follows RAG status Count Red 1 Amber 4 Green 10 Grey 7 I am using this code from the link :...
View ArticleCompare search field to similar field in lookup1 then compare to field in...
Hi i'm having trouble trying to to do the following: I have a search which pulls the event_id, which i would like to compare against the first lookup_file1 [alert_id] which contains a column called...
View ArticleStacked bar chart legend order reverse of stacking order
When creating a stacked bar chart and putting the legend definitions on top, the legend order is reverse of the stacking order for the bar chart. Making it look like this ![alt text][1] [1]:...
View ArticleSHC deployer
Hello, could you let me know if it's a GUI bug? I use /shcluster to deploy SH configurations but the role "SHC deployer" isn't indicated on our 6.5.2 Enterprise: ![alt text][1] Thanks. [1]:...
View ArticleSearch Notables by Time of Comments
In working with Enterprise Security's notables I am wondering if there is a way that you can search by the time that a comment is added to a notable that is generated. For example; I want to find all...
View ArticleI am trying to subtract one column from another and want to do it for other...
My data is like this Column1 Column2 Column3 Total I am using the below command **|foreach Column* [ eval Answer <> = Total - <> ] |table Column1, Column2, Column3 Answer1, Answer2,...
View ArticleTimeRangePicker locking up when selecting a range before the page fully loads
For my dashboard, there are many objects that load when the dashboard is selected. I am working in HTML mode, and have a TimeRangePicker w/ a Submit button that renders searches only on demand. I've...
View Article