Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About JeffBothel
JeffBothel
Explorer
Member since:
06-28-2017
06-11-2021
Community Statistics
| Posts | 16 |
| Solutions | 0 |
| Karma Given | 2 |
| Karma Received | 2 |
| Member Since | 06-28-2017 |
Activity Feed
- Got Karma for Search Notables by Time of Comments. 11-13-2021 07:04 PM
- Got Karma for Perform stats count based on the value of a field. 09-18-2020 02:52 PM
- Karma Re: Why does the following search not return a list of my indexes? for Vijeta. 06-05-2020 12:50 AM
- Karma Re: Is it possibl to get a list of available indices ? for gkanapathy. 06-05-2020 12:46 AM
- Posted Re: Why does the following search not return a list of my indexes? on Getting Data In. 10-05-2018 02:02 PM
- Posted Can you help me create a dashboard with field dependency and action state modifications? on Splunk Enterprise Security. 10-05-2018 01:20 PM
- Tagged Can you help me create a dashboard with field dependency and action state modifications? on Splunk Enterprise Security. 10-05-2018 01:20 PM
- Posted Use Splunk for a Static Value Lookup on Splunk Search. 02-27-2018 10:32 PM
- Tagged Use Splunk for a Static Value Lookup on Splunk Search. 02-27-2018 10:32 PM
- Posted Ratios based on field values in Stats on Splunk Enterprise Security. 11-09-2017 02:11 AM
- Tagged Ratios based on field values in Stats on Splunk Enterprise Security. 11-09-2017 02:11 AM
- Tagged Ratios based on field values in Stats on Splunk Enterprise Security. 11-09-2017 02:11 AM
- Tagged Ratios based on field values in Stats on Splunk Enterprise Security. 11-09-2017 02:11 AM
- Posted Re: Search Notables by Time of Comments on Splunk Enterprise Security. 11-01-2017 04:18 AM
- Posted Search Notables by Time of Comments on Splunk Enterprise Security. 11-01-2017 04:14 AM
- Tagged Search Notables by Time of Comments on Splunk Enterprise Security. 11-01-2017 04:14 AM
- Tagged Search Notables by Time of Comments on Splunk Enterprise Security. 11-01-2017 04:14 AM
- Tagged Search Notables by Time of Comments on Splunk Enterprise Security. 11-01-2017 04:14 AM
- Tagged Search Notables by Time of Comments on Splunk Enterprise Security. 11-01-2017 04:14 AM
- Posted Re: Append * to the end of values in a multivalue input on Splunk Search. 09-14-2017 02:09 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 |
10-05-2018
02:02 PM
The below link is what I have saved for answering this question and seems to work pretty well for me:
https://answers.splunk.com/answers/39370/is-it-possibl-to-get-a-list-of-available-indices.html
... View more
10-05-2018
01:20 PM
I am attempting to create a dashboard that has a couple input fields with one being dependent on the other.
The independent field will be a drop down to select a value that will then set the time frame for a search to a specific set and disable the use of the other field. There will be a custom selection in the drop down menu that would then set a default value and enable the time input field for utilization. I would like to have the drop-down change the token values for the time picker field so that I have one reference point for time information in the search. I have been working with the drop-down condition items and have yet to create a working solution and I was wondering if someone might have some suggestions. Here is what I have thus far:
<input type="dropdown" token="shift_select" searchWhenChanged="true">
<label>Shift for Reporting</label>
<choice value="Shft1">Shift 1</choice>
<choice value="Shft2">Shift 2</choice>
<choice value="Shft3">Shift 3</choice>
<choice value="Custom">Custom</choice>
<change>
<condition value="Shft1">
<unset token="time_range"></unset>
<set token="time_range.earliest">-24h@h</set>
<set token="time_range.latest">now</set>
<set token="time_range.enabled">false</set>
</condition>
<condition value="Shft2">
<unset token="time_range"></unset>
<set token="time_range.earliest">-48h@h</set>
<set token="time_range.latest">now</set>
<set token="time_range.enabled">false</set>
</condition>
<condition value="Shft3">
<unset token="time_range"></unset>
<set token="time_range.earliest">-72h@h</set>
<set token="time_range.latest">now</set>
<set token="time_range.enabled">false</set>
</condition>
<condition value="Custom">
<unset token="time_range"></unset>
<set token="time_range.earliest">-12h@h</set>
<set token="time_range.latest">now</set>
<set token="time_range.enabled">false</set>
</condition>
</change>
</input
... View more
02-27-2018
10:32 PM
I have a data store that information is far faster and more reach to get to with Splunk and I am trying to figure out a way to generate information from one piece automatically from this source. In this specific example I tried the following
| inputlookup datastore
| search [setfields server_ip="10.22.10.250" | lookup dnslookup clientip as server_ip output clienthost as server_fqdn | fields server_fqdn]
But this is not rendering the information that I am looking for. The IP that I am using does have a corresponding server_fqdn value in the inputlookup datastore specified (I used a known good sample for this). I am hoping someone might be able to spot what I am not seeing in terms of syntax or value handling and offer a suggestion as to how to get this to work.
... View more
- Tags:
- splunk-enterprise
11-09-2017
02:11 AM
I am looking to get a ratio in something akin to the following method but this is throwing errors from Splunk ES:
eval(count(eval(if(action!="success",1,null())))/count(eval(if(action=="success",1,null()))))
Anyone have any suggestions as to what might be the problem?
... View more
11-01-2017
04:18 AM
Also it would be nice if I could separate it by the comment creator or other fields that might be attributed as well. For example; find all the notables that I specifically worked on in a given timeframe based on a search that finds all comments I made to notables between a certain amount of time.
... View more
11-01-2017
04:14 AM
1 Karma
In working with Enterprise Security's notables I am wondering if there is a way that you can search by the time that a comment is added to a notable that is generated. For example; I want to find all the notable events that I closed in an evening based on me making a comment on that notable during that timeframe instead of when the notable was generated.
... View more
09-14-2017
02:09 AM
And you update has resolved what I was looking to do albeit it much more simply than was stated. Stepping through your idea for the solution I noticed that the introduction of the asterisk was done with an eval that was to append it to all the values of src that were in the subsearch and I thought why not just add the tiny little segment that added the asterisk to the search and see what happens; I added the following
| eval src=src."*"
to get the overall line of
[makeresults | eval src="$dashInSrc$" | makemv src delim="," | mvexpand src | eval src=src."*" | fields src]
Which garnered the results I was looking for with this item. So thank you for the assistance on this and the valuable insights.
... View more
09-13-2017
10:08 PM
While I do thank you for the information on this and the makeresults item this is not going to assist in what I am trying to accomplish. The multiselect field is not really an option because what we are search for is any IP address or hostname out of thousands of servers and some of those names might not be in data sources that I would reference for the field. Furthermore, we are going to be pulling these names from other sources as lists and putting those names we are specifically looking for into the single string search field to determine the information; i.e. the string we will use will be as follows
computer1,computer2,computer3
and I need it to be parsed from that string to the following search specifications from the string
src=computer1* OR src=computer2* OR src=computer3*
Thanks for the suggestion though.
... View more
09-13-2017
08:11 PM
I have created a multivalue parser from suggestions in the Splunk answers in the following form:
[stats count | eval src="$dashInSrc$" | makemv src delim="," | mvexpand src | fields src]
But what I would like to have happen is at the end of each value append the asterisk to broaden my search to values that might not be complete at input for the values of the fields in the events; i.e. these are hostnames being input and I would like to include * so that when the event logs the value as the FQDN it will grab that event as well.
... View more
09-13-2017
02:32 AM
Yes you are correct, the syntax is wrong but I was looking to get across what I am essentially trying to do in a clear and concise manner. I do know from having tried it previously that your second code idea does not work having put that into the search from a previous example of a similar type of code and that did not solve the issue. However, testing the first thought you had on the syntax generated the desired result for this case and as such thank you for your suggestion.
... View more
09-12-2017
11:12 PM
Making this correction to the query did not result in the desired outcome. The query returns 0 for each and every value that was specified when there are at least a few successes and failures in the queried items.
... View more
09-12-2017
09:41 PM
1 Karma
What I am looking to do is something of this nature:
| stats count(eval(if(action=success))), count(eval(if(action=failure))) by computer
but it has not been working out as I had hoped. Can anyone fill me in on what I might be able to do in order to get this result in my stats area of my search?
... View more
08-22-2017
01:10 AM
I think that I need to clarify; columns in a table that are showing the counted values in a table format. This would be in the form of host, count of success, count of failure with one in each column. Thus in the above creation of a result field I would need an evaluation of whether to count the information based on the value. What I am looking for is something like the following:
| table count(eval(if(action=="Success"))), count(eval(if(action=="Fail"))) by source
I do know that the above is not wanting to work in the method I am looking for but that is essentially it and I need it in a numerical format to do side by side comparisons of counts. As such thank you for the suggestion on a chart but a chart is not what is needed in my particular situation.
... View more
08-21-2017
11:19 PM
I am having a bit of trouble figuring out how I can get what I am looking for when it comes to separating out successes and failures.
So what I have is event information that I would like count based on the value of an action field per individual host. The table in the dashboard would end up have the three columns of the host name, counting of the events that the action was successful, and counting of the events that were unsuccessful. I would like to do this as compactly in terms of the Splunk query. I am thinking of something like running an eval to establish fail or success from the action field itself in the stats area but I am open to other solutions.
Thanks for the help everyone.
... View more
08-07-2017
08:21 PM
I think one thing to note would be I am hoping to also do this against a table of domain values. I have a list of approved domains that I am looking to compare against but there are hundreds of them that we have approved and having them in a single search might be a bit difficult. Based on what you provided I am seeing that this is something similar to this programmatic way of doing this:
foreach(emailevent in searchresults){
foreach(recipient in emailevent){
if(recipient != listdomain){
discardemail = true
}
}
}
That's essentially what I a looking to accomplish with the Splunk search so that the emails with only approved domains can be returned for evaluation.
... View more
08-07-2017
01:47 AM
I am working with an event log from an email system where all the different recipients of an email are being listed and I have taken that field from a single value field to a multivalue field. What I am trying to do is match the recipient's domain to a list of approved domain items and only those domains. I am having difficulty because if I specify something like the following
index=email | makemv delim="," recipient | recipient=*domain1.com OR *domain2.com
I end up getting emails that could contain anything that has either of those in their, including emails that contain domain1.com, domain2.com, and domain3.com in them (domain3.com being unacceptable to have included in this). I want to restrict the search for only those events that have addresses from the list of domains that are approved for sending information and any emails that contain those domains and other domains that are not on that list excluded; going back to my example here is simple illustration of what I am looking for:
included - recipient=user@domain1.com,user@domain2.com
included - recipient=user@domain1.com
included - recipient=user@domain2.com
excluded - recipient=user@domain1.com,user@domain3.com
excluded - recipient=user@domain3.com
excluded - recipient=user@domain2.com,user@domain3.com
any ideas on how to achieve this would be appreciated.
... View more
- Tags:
- splunk-enterprise
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-11-2021
12:09 PM
|
