Hi All,
I've two sourcetypes with user information. I want to match the user by time.
Please provide me the Splunk search to match the user by time.
If the users do not match that time I need to set up an alert.
... View more
I want to extract act and action fields. If you remove the stats command im not getting the unique values from action field.
the values i'm looking
act = GET,POST,GET,GET,GET,GET,POST,POST
action = GET POST
... View more
I want to extract act and action fields. If you remove the stats command im not getting the unique values from action field.
the values i'm looking
act = GET,POST,GET,GET,GET,GET,POST,POST
action = GET POST
... View more
I'm looking for transforms and props.conf to get the two fields act and action
index=blue_sec sourcetype=rsa:security_analytics
|rex field=_raw "act=(?[^\"]+)\sspt="| makemv delim="," act| stats values(act) AS action by _raw
|rex field=_raw "act=(?[^\"]+)\sspt=" | table act,action
... View more