Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About Xe03kfp
Xe03kfp
Path Finder
Member since:
01-15-2013
11-03-2023
Community Statistics
| Posts | 42 |
| Solutions | 0 |
| Karma Given | 10 |
| Karma Received | 1 |
| Member Since | 01-15-2013 |
Activity Feed
- Karma Re: Calculate totals from columns but keep summary for lguinn2. 06-05-2020 12:46 AM
- Karma Re: How to allow powershell scripts on windows server for yannK. 06-05-2020 12:46 AM
- Karma Re: 2 searches, focus on 1 unique field of the two searches to do a calculation of time for sideview. 06-05-2020 12:46 AM
- Karma Re: Calculate eval (_raw,field) stats time Field - Field = TotalTime for sideview. 06-05-2020 12:46 AM
- Karma Re: Calculate eval (_raw,field) stats time Field - Field = TotalTime for sideview. 06-05-2020 12:46 AM
- Karma Re: Calculate eval (_raw,field) stats time Field - Field = TotalTime for sideview. 06-05-2020 12:46 AM
- Karma Re: Calculate Seconds that are over 60 minutes, to Days, Hours, Minutes, Seconds for jaraneda. 06-05-2020 12:46 AM
- Karma Re: Total Time in D:M:H:S- using appendpipe instead of totalseconds and display on Dashboard for jonuwz. 06-05-2020 12:46 AM
- Karma Re: Search multiple hosts with one search string for herkalurk. 06-05-2020 12:46 AM
- Got Karma for Calculate eval (_raw,field) stats time Field - Field = TotalTime. 06-05-2020 12:46 AM
- Karma Re: Is there a maximum number of forwarders per indexer? for gkanapathy. 06-05-2020 12:45 AM
- Posted Re: Search multiple hosts with one search string on Splunk Search. 02-25-2013 11:35 AM
- Posted Search multiple hosts with one search string on Splunk Search. 02-25-2013 11:28 AM
- Tagged Search multiple hosts with one search string on Splunk Search. 02-25-2013 11:28 AM
- Tagged Search multiple hosts with one search string on Splunk Search. 02-25-2013 11:28 AM
- Tagged Search multiple hosts with one search string on Splunk Search. 02-25-2013 11:28 AM
- Posted Re: Don't want column names as values in the report on Splunk Search. 02-15-2013 07:00 AM
- Posted Re: Total Time in D:M:H:S- using appendpipe instead of totalseconds and display on Dashboard on Splunk Search. 02-15-2013 05:05 AM
- Posted Total Time in D:M:H:S- using appendpipe instead of totalseconds and display on Dashboard on Splunk Search. 02-14-2013 04:13 PM
- Tagged Total Time in D:M:H:S- using appendpipe instead of totalseconds and display on Dashboard on Splunk Search. 02-14-2013 04:13 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 |
02-25-2013
11:28 AM
How would I search multiple hosts with one search string?
I have 6 hosts and want the results for all:
Search String:
index="rdpg"
( 2222222 dest_port="") OR (1111111 src_port="") OR ( 1111111 src_ip="") OR (2222222 dest_ip="")
| eval disconnect_time=if(match(_raw,"2222222"),_time,null())
| eval connect_time=if(match(_raw,"1111111"),_time,null())
| eval Ephemeral=if(isnotnull(disconnect_time),dest_port,Ephemeral)
| eval Ephemeral=if(isnotnull(connect_time),src_port,Ephemeral)
| stats min(connect_time) as Connect max(disconnect_time) as Disconnect min(src_ip) as "Source IP" max(dest_ip) as "Destin ip" by Ephemeral
| eval Seconds=Disconnect-Connect | fieldformat Seconds=strftime('Seconds', "%s")
| eval "Total Time"=tostring(Seconds,"duration")
| where Seconds > 300
| search Connect=* Disconnect=*
| appendpipe [stats sum(Seconds) as "Total Seconds" ]
| convert timeformat="%a %b-%d %Y "at" %H:%M:%S" ctime(Connect) ctime(Disconnect)
Hosts= Srv004 Srv005 Srv181 Srv192 Srv142 Srv181
... View more
02-15-2013
07:00 AM
Could we get a little more information as to one of your searches using your answer?
... View more
02-15-2013
05:05 AM
Thanks! Appendpipe fix worked! I will let you know about the XML after implement it 🙂 -YOU DA MANG!
... View more
02-14-2013
04:13 PM
I am trying to somehow get a total sum of the "Total Time" column and have it be on a separate line rather the next line because it adds totals of anything with a number. I found appendpipe to go to the next line.
Search string:
index="rdpg"
( 2222222 dest_port="") OR (1111111 src_port="") OR ( 1111111 src_ip="") OR (2222222 dest_ip="")
| eval disconnect_time=if(match(_raw,"2222222"),_time,null())
| eval connect_time=if(match(_raw,"1111111"),_time,null())
| eval Ephemeral=if(isnotnull(disconnect_time),dest_port,Ephemeral)
| eval Ephemeral=if(isnotnull(connect_time),src_port,Ephemeral)
| stats min(connect_time) as Connect max(disconnect_time) as Disconnect min(src_ip) as "Source IP" max(dest_ip) as "Destin ip" by Ephemeral
| eval Seconds=Disconnect-Connect | fieldformat Seconds=strftime('Seconds', "%s") | eval "Total Time"=tostring(Seconds,"duration") | where Seconds > 300
| search Connect=* Disconnect=* | appendpipe [stats sum(Seconds) as "Total Seconds" ]
| convert timeformat="%a %b-%d %Y "at" %H:%M:%S" ctime(Connect) ctime(Disconnect)
See results -=HERE=-
ALSO: If I have a dashboard and I can get this total time thing working... can I somehow have a "button" that displays the total time based on a timeframe I specify?
Here is my Dashboard and the "button" I'd like Example --The Red things 🙂
... View more
02-12-2013
11:09 AM
I found addcoltotals gives me a total in seconds for the field I specify, then I will have to convert the seconds.
... View more
02-12-2013
10:39 AM
Yes that worked! To make it pretty..is there a way to take away the miliseconds? Also, how would I sum the "Total Seonds" as a "Total Time" like: | transpose | "Total Time" string --so the total time shows left justified?
... View more
02-12-2013
10:11 AM
I have an issue with calculating seconds that go over 60 minutes that sums to be a few days.
One of my eval calculations sums to be 496089.166322 seconds and if I use
|fieldformat "Total Time"=strftime('Total Time', "%M:%S") I get 48:09 as the sum but should calculate to 5 days, 17 hours, 48 minutes and 9 seconds
I am not sure if I have to use a macro to do the job? LINK
Or missing something obvious?
I have searched through every variation of this and have tried all the common date and time format variables with strftime( converts epoch time to format Y )
Here is my current search string where I have to break down the Days Hours Minutes and Seconds along with a ScreenCapture
Search String:
index="snort"
( 2222222 dest_port="") OR (1111111 src_port="") OR ( 1111111 src_ip="") OR (2222222 dest_ip="")
| eval disconnect_time=if(match(_raw,"2222222"),_time,null())
| eval connect_time=if(match(_raw,"1111111"),_time,null())
| eval Ephemeral=if(isnotnull(disconnect_time),dest_port,Ephemeral)
| eval Ephemeral=if(isnotnull(connect_time),src_port,Ephemeral)
| stats min(connect_time) as Connect max(disconnect_time) as Disconnect min(src_ip) as "Source IP" by Ephemeral
| eval Seconds=Disconnect-Connect
| fieldformat "Seconds"=strftime('Seconds', "%s")
| eval Minutes=Seconds/60 | eval Hours=Minutes/60
| eval Days=Hours/24
| convert timeformat="%a %b-%d %Y "at" %H:%M:%S" ctime(Connect) ctime(Disconnect)
| search Connect=* Disconnect=*
| rename Ephemeral as "Connection Port", Total_time as "lala"
... View more
02-11-2013
12:51 PM
Simon -- Your macro: sla-sec2time(2) is that the name of your index source? I need the same, per the below, and currently have a Days Hours Minutes Seconds column! 😞 sigh.
... View more
02-11-2013
11:03 AM
index="snort"
( 2222222 dest_port="") OR (1111111 src_port="") OR ( 1111111 src_ip="") OR (2222222 dest_ip="")
| eval disconnect_time=if(match(_raw,"2222222"),_time,null())
| eval connect_time=if(match(_raw,"1111111"),_time,null())
| eval Ephemeral=if(isnotnull(disconnect_time),dest_port,Ephemeral)
| eval Ephemeral=if(isnotnull(connect_time),src_port,Ephemeral)
| stats min(connect_time) as Connect max(disconnect_time) as Disconnect min(src_ip) as "Source IP" by Ephemeral
| eval Total_Time(secs)=Disconnect-Connect
| convert timeformat="%a %b-%d %Y "at" %H:%M:%S" ctime(Connect) ctime(Disconnect)
| fieldformat "Calculated Time"=strftime('Total_Time(secs)', "%M:%S")
| search Connect=* Disconnect=* | rename Ephemeral as "Connection Port"
Looks like - THIS!
Thanks to the help of Sideview!!
... View more
02-08-2013
11:57 AM
Ideas on adding a field column? src_ip of 1111111 and NOT 2222222 ( because it will be a different IP )
... View more
02-08-2013
11:56 AM
sideview:
Got it working minus adding a field "src_ip of 1111111"
index="snort"
( 2222222 dest_port="*") OR (1111111 src_port="*")
| eval disconnect_time=if(match(_raw,"2222222"),_time,null())
| eval connect_time=if(match(_raw,"1111111"),_time,null())
| eval Ephemeral=if(isnotnull(disconnect_time),dest_port,Ephemeral)
| eval Ephemeral=if(isnotnull(connect_time),src_port,Ephemeral)
| stats min(connect_time) as Connect max(disconnect_time) as Disconnect by Ephemeral
| eval Total_Time(secs)=Disconnect-Connect
| convert timeformat="%F" ctime(Connect) ctime(Disconnect)
| fieldformat "Calculated Time"=strftime('Total_Time(secs)', "%M:%S")
| search Connect=* Disconnect=*
... View more
02-08-2013
08:10 AM
AND --How do I convert Unix time to standard time format and convert the "Connection Time" to Hours:Minutes:Seconds
Via Google and Answers searches I have tried:
|fieldformat _time=strftime('duration', "%H:%M$S")
| convert TIME_FORMAT = %H:%M:%S
| Fieldformat timeVariable = totalCount(timeVariable,"duration")
To me it is a matter of possibly putting the time formatting after the | stats min(connect_time) as connect ........... string and then have the eval totalCount= after the time formatting string(that I do not know) ?
... View more
02-08-2013
08:09 AM
Search String:
index="snort"
( 2222222 dest_port="") OR (1111111 src_port="")
| eval disconnect_time=if(match(_raw,"2222222"),_time,null())
| eval connect_time=if(match(_raw,"1111111"),_time,null())
| eval Ephemeral=if(isnotnull(disconnect_time),dest_port,Ephemeral)
| eval Ephemeral=if(isnotnull(connect_time),src_port,Ephemeral)
| stats min(connect_time) as connect max(disconnect_time) as disconnect by Ephemeral | eval totalCount=disconnect-connect
| search connect=* disconnect=*
| rename totalCount as "Connection Time"
... View more
02-08-2013
08:09 AM
Fixed but ran into another issue with a "post-reporting 'eval; command --error. I know why but no matter where I put the eval, I stil. receive a parsing error. -=See Here=-
... View more
02-07-2013
09:37 PM
I've tried a few things:
The above and | stat sum(eval(disconnect - connect)) as Total ( I believe yours gave me a return summary but did not create a new field) As well as others but those gave me parsing problems and yours and mine gave a blank result but "97 results" It giving a blank result that it kinda works? or does not know what to do with it because there is something missing? If I use | addtotals, I get "ports" as the result, just a mirror of the same numbers.
... View more
02-07-2013
02:44 PM
Understood. As for the total Calculation:
Disconnect time - Connect Time = TimeDifference in minutes, instead of seconds.
I assume I tack on another stats or eval clause like:
|eval totalCount = disconnect_time - Connect_time
| max(totalCount) as TotalCount
?
... View more
02-07-2013
01:54 PM
I posted an additional question if you have a few minutes?
-=HERE=-
... View more
02-07-2013
01:53 PM
Link to the background of this and link to the answer
-= HERE =-
... View more
02-07-2013
01:48 PM
I have until next Friday to produce something. sigh
... View more
02-07-2013
01:48 PM
-=HERE=- is a log file, if this makes testing easier. I wish I was not kidding about my job is on the line...
Right Click and Save as 🙂
... View more
02-07-2013
01:43 PM
1 Karma
This is what I have
( 2222222 dest_port="*") OR (1111111 src_port="*")
| eval disconnect_time=if(match(_raw,"2222222"),time,null())
| eval connect_time=if(match(_raw,"1111111"),time,null())
| eval Ephemeral=if(isnotnull(disconnect_time),dest_port,myPortField)
| eval Ephemeral=if(isnotnull(connect_time),src_port,Ephemeral)
| stats min(connect_time) as connect max(disconnect_time) as disconnect by Ephemeral
Gives me -=THIS=- In Bold Black is what I'd like to have.
Secondly, the "Ephemeral" ports, I'd like to have nulled/not show. ??
-They do not have a Connect & Disconnect time -"not associated" with anything else. --They are a snort signature false positive.
Is this possible? I am in a huge jam at work where my job is on the line... 😞
... View more
02-06-2013
06:15 PM
Here is the search you wanted me to do:
" I think what you want is:
( 2222222 dest_port="") OR (1111111 src_port="")
"
HERE is the result of that search which gives me both src and dest port
If you notice both src_port and dest_port are highlighted. I tried every way I could to somehow combine the searches to be totally 2 seperate searches of the two fields but was unsuccessful.
... View more
02-06-2013
05:49 PM
Mind you I do have a false positive from snort that does not have the same ephemeral port and may have blank times --or is there a way to say "if none are the same then NOTshow ?
... View more
02-06-2013
05:49 PM
Is why I had to search for two fields but only interested in the src and dest port fields. I needed to create a search that will arrive at giving me the 2222222 and 1111111 ephemeral port and calculate the time _time of 2222222 - _time 1111111 = Total time
I'd like to have:
Summary--
SRC IP Total Time
SRC IP Total Time
-Of all unique SRC IP's
&
Total Time from ALL as a total calculation ( which will be based on the search time frame I select)
... View more
