Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About chirsf
chirsf
Explorer
Member since:
12-03-2018
06-15-2021
Community Statistics
| Posts | 16 |
| Solutions | 0 |
| Karma Given | 2 |
| Karma Received | 2 |
| Member Since | 12-03-2018 |
Activity Feed
- Posted Powershell Get-ADComputer not pulling in fields on Getting Data In. 06-15-2021 06:39 AM
- Got Karma for tonumber for numerical rather than lexigraphical sort in a multivalue field. 05-19-2021 12:55 PM
- Posted Re: Macro oddness with inputlookup on Splunk Search. 05-19-2021 07:06 AM
- Posted tonumber for numerical rather than lexigraphical sort in a multivalue field on Splunk Search. 05-19-2021 06:59 AM
- Posted Macro oddness with inputlookup on Splunk Search. 05-12-2021 08:41 AM
- Posted Re: Help understanding appendpipe on Splunk Search. 03-02-2021 07:32 AM
- Posted Re: Help understanding appendpipe on Splunk Search. 03-02-2021 06:54 AM
- Posted Re: Help understanding appendpipe on Splunk Search. 03-02-2021 06:34 AM
- Posted Help understanding appendpipe on Splunk Search. 03-02-2021 05:02 AM
- Posted Re: Populating non-existent values where multiple timestamp comparisons exist. on Splunk Search. 08-18-2020 09:12 AM
- Karma Re: Splunk UF forwarding to a unidirectional data diode which then forwards logs to Splunk server. No longer receiving logs from UF. (air gapped environment) for woodcock. 07-23-2020 09:46 AM
- Karma Re: auto-decode UTF-8 encoded-string for woodcock. 06-25-2020 02:22 PM
- Got Karma for Re: How do you search two indexes with disparately named fields for instances where data is in one instance but not the other?. 06-05-2020 12:50 AM
- Posted Re: tstats and a lookup on Splunk Search. 02-04-2020 12:06 PM
- Posted tstats and a lookup on Splunk Search. 02-04-2020 07:49 AM
- Tagged tstats and a lookup on Splunk Search. 02-04-2020 07:49 AM
- Tagged tstats and a lookup on Splunk Search. 02-04-2020 07:49 AM
- Tagged tstats and a lookup on Splunk Search. 02-04-2020 07:49 AM
- Tagged tstats and a lookup on Splunk Search. 02-04-2020 07:49 AM
- Tagged tstats and a lookup on Splunk Search. 02-04-2020 07:49 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
06-15-2021
06:39 AM
I've been attempting to pull data in with powershell and Get-ADComputer to pull in fields like OperatingSystem and similar fields with this, I tried something more complicated with a select-object after Properties *, but it didn't populate data so I ended up with this to troubleshoot: Get-ADComputer -Filter * -Properties DNSHostName,OperatingSystem,OperatingSystemVersion,Enabled,IPv4Address I also tried Get-ADComputer -Filter * -Properties * This doesn't populate more than the default fields from Get-ADComputer. Any tips would be appreciated, I haven't found much on this subject so far.
... View more
Labels
- Labels:
-
modular input
05-19-2021
07:06 AM
I'd have to file a ticket to get the .conf. 🙂 Can't really share the definition on a public forum. If you think it's a bug or something else like that I can file a ticket though
... View more
05-19-2021
06:59 AM
1 Karma
I'm looking for a way to numerically sort a multivalue field without expanding the field, sorting and then recombining. Essentially something like the following with a dedup. Before I post an idea I wanted to see if anyone has any ideas on how to accomplish this. Essentially I'm trying to find a way to run conversion functions from here against a multivalue field, ideally on the same eval. | makeresults
| eval line_list=split("4,3,2,1,7,2,21,9,12,19,7",",")
| eval line_list=mvsort(mvdedup(tonumber(line_list))) Instead I have to do this: | makeresults
| eval line_list=split("4,3,2,1,7,2,21,9,12,19,7",",")
| mvexpand line_list
| eval line_list=tonumber(line_list)
| sort line_list
| dedup line_list
| mvcombine line_list
... View more
Labels
- Labels:
-
eval
05-12-2021
08:41 AM
I have an odd situation with a macro starting with an inputlookup like this: inputlookup ADcomputerslist
```logic time```
| search Enabled="True" I run it like this: | `adsearchsortingv3` However it expands like this: | inputlookup ADcomputerslist where Enabled="True" This doesn't seem right to me, but I am probably doing something wrong.
... View more
Labels
- Labels:
-
other
03-02-2021
07:32 AM
Thanks to mmcul on slack this is the answer I'm going with: | append
[| gentimes start=-14 end=0 increment=1d
| eval _time=starttime, category="test", value=0
| fields _time, category, value ]
... View more
03-02-2021
06:54 AM
Yea I thought about using makecontinuous but I cannot guarantee even a single event will show up for the time range I'm looking for to use that, or I misunderstand how that works. Thanks for the leads on the other ideas i appreciate it.
... View more
03-02-2021
06:34 AM
Thanks, this makes total sense. I don't know if my solution here is the correct one, I mean it works so in that vein it's correct. However I feel like it's.. a hack lol.
... View more
03-02-2021
05:02 AM
Hi, I didn't find anything about this while searching so here's my question. I'm working on the proving a negative problem, adding appendpipe after a stats in order to display a result of 0 for each day for the period of time I need. I usually do this for a single row, however I need to have multiple rows for multiple days as output for stats or more importantly timechart. I ran into a scenario I cannot explain and wanted to understand further. While testing I created this search: | makeresults
| eval value=0, category="test", _time=strftime(now(), "%H")
| appendpipe
[| eval value=0, category="test", _time=relative_time(now(), "-1d@d") ]
| appendpipe
[| eval value=0, category="test", _time=relative_time(now(), "-2d@d")]
| appendpipe
[| eval value=0, category="test", _time=relative_time(now(), "-3d@d")]
| appendpipe
[| eval value=0, category="test", _time=relative_time(now(), "-4d@d")]
| appendpipe
[| eval value=0, category="test", _time=relative_time(now(), "-5d@d")]
| appendpipe
[| eval value=0, category="test", _time=relative_time(now(), "-6d@d")]
| appendpipe
[| eval value=0, category="test", _time=relative_time(now(), "-7d@d")]
| appendpipe
[| eval value=0, category="test", _time=relative_time(now(), "-8d@d")]
| appendpipe
[| eval value=0, category="test", _time=relative_time(now(), "-9d@d")]
| stats count by _time The results of this output 256 results for a single date/time, and others follow with smaller amounts but not counts of 1. If I change it to this: | makeresults
| eval value=0, category="test", _time=relative_time(now(), "-2d@d")
| appendpipe
[| eval value=0, category="test", _time=relative_time(now(), "-1d@d")
| dedup value category _time]
| appendpipe
[| eval value=0, category="test", _time=relative_time(now(), "-2d@d")
| dedup value category _time]
| appendpipe
[| eval value=0, category="test", _time=relative_time(now(), "-3d@d")
| dedup value category _time]
| appendpipe
[| eval value=0, category="test", _time=relative_time(now(), "-4d@d")
| dedup value category _time]
| appendpipe
[| eval value=0, category="test", _time=relative_time(now(), "-5d@d")
| dedup value category _time]
| appendpipe
[| eval value=0, category="test", _time=relative_time(now(), "-6d@d")
| dedup value category _time]
| appendpipe
[| eval value=0, category="test", _time=relative_time(now(), "-7d@d")
| dedup value category _time]
| appendpipe
[| eval value=0, category="test", _time=relative_time(now(), "-8d@d")
| dedup value category _time]
| appendpipe
[| eval value=0, category="test", _time=relative_time(now(), "-9d@d")
| dedup value category _time]
| stats count by _time Every row has a single count except for one, which makes sense given how this is written. I can move forward with this, but now I would like to know why this happens.
... View more
08-18-2020
09:12 AM
I think you're running into a scenario of "proving a negative". This article should be helpful. https://www.duanewaddle.com/proving-a-negative/
... View more
02-04-2020
12:06 PM
This is what I ended up with:
| tstats max(_time) AS _time WHERE index=_internal sourcetype=splunkd source=*metrics.log by host
| rex field=host "^(?[^\.]+)"
| lookup serverswithsplunkufjan2020 host OUTPUT host as match
| where isnotnull(match)
| inputlookup serverswithsplunkufjan2020 append=true
| rex field=host "^(?[^*]+)"
| dedup host
| eval "Sending Data?" = if(isnotnull(_time), "Yes", "No")
| stats max(_time) AS _time by host "Sending Data?"
| convert timeformat="%Y/%m/%d" ctime(_time) as "Last Send Date"
| fields - _time
... View more
02-04-2020
07:49 AM
I hope I explain this well. I have the following tstats search:
| tstats max(_time) AS _time WHERE index=_internal sourcetype=splunkd source=*metrics.log by host
I also have a lookup table with hostnames in in a field called host set with a lookup definition under match type of WILDCARD(host). In the data returned by tstats some of the hostnames have an fqdn and some do not. The problem becomes the order of operations. Say I do this:
| tstats max(_time) AS _time WHERE index=_internal sourcetype=splunkd source=*metrics.log by host
| lookup serverswithsplunkufjan2020 host OUTPUT host as match
| eval "Sending Data?" = if(isnotnull(match), "Yes", "No")
Then it gives me more hosts than I'm looking for. It'll indeed show where there is a match. When I search in this manner:
| inputlookup serverswithsplunkufjan2020.csv
| join type=left host
[| tstats max(_time) AS _time WHERE index=_internal sourcetype=splunkd source=*metrics.log by host
| eval seen=1]
| eval "Sending Data?" = case(seen=1, "Yes", isnull(true), "No")
| fields - seen
It's using a join and who wants that?
I can't seem to use lookup which I need for wildcards. I can use | inputlookup fine but I can't seem to make wildcard matching work there.
I could do something like host IN ("foohost1*", "foohost2*") to search for what I need to gather, but I'd like to build something dynamic.
... View more
03-07-2019
11:58 AM
I've seen a lot about not using join subsearches, how it's slow, etc etc. Which proves to be true in practice.
What I would like to find out is why it is slow. Any insight here would be helpful.
... View more
- Tags:
- splunk-cloud
12-04-2018
07:36 AM
1 Karma
Thank you this does exactly what I was looking for.
... View more
12-04-2018
06:26 AM
Ugh that's a typo yea. That's what I get for transposing and not copying the text.
... View more
12-03-2018
02:06 PM
Here's kind of what I had been working on, which is based on what @whrg posted.
index=INDEX1 LocalAddressIP4!=127.0.0.1 LocalAddress!=0.0.0.0
NOT [search index=INDEX2 | rename ip as LocalAddressIP4 | fields LocalAddressIP4]
| table LocalAddressIP4
My expected results is a table of ip addresses which are in INDEX1 but not INDEX2. I don't think I can give out sample data from what I have.
... View more
12-03-2018
12:38 PM
Hi,
First time asking. I did a search, but maybe I used the wrong keywords. Apologies if this is a duplicate.
I have two indexes that I want to compare two disparately named fields in. The data is IP addresses, so the string should be the same format across both.
In SQL, I would do something like "where not in foo" or whatever. But, I have yet to figure out how to do a compare and then look for anything only in one index or only in the other index.
Any tips would be appreciated. Thanks
... View more
