cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
gfisbeck
Explorer
Member since: ‎09-17-2019
‎05-09-2022
Community Statistics
Posts 10
Solutions 0
Karma Given 1
Karma Received 2
Member Since ‎09-17-2019
Activity Feed
View All

Re: Counting events for all users in a lookup tabl...

by in Splunk Search
‎05-04-2022 12:27 PM
‎05-04-2022 12:27 PM
Thanks, @richgalloway.  Will filldown work if I have different department values? In my last example, I simplified the source table. if my source looks more like this:   actor.email department weekNumber numDays --------------------------------------------------------------------------- user1@company.com Sales 0 0 user2@company.com Engineering 0 0 user3@company.com HR 0 0 user1@company.com 0 13 3 user2@company.com 0 13 1 user3@company.com 0 13 3 user1@company.com 0 14 2 user2@company.com 0 14 1 user3@company.com 0 14 3 user1@company.com 0 15 2 user2@company.com 0 15 3 user3@company.com 0 15 3   Is it possible to apply the "fill" command by field (like actor.email)? In other words, I want all user1@company.com events to have a department of "Sales". ... View more

Re: Counting events for all users in a lookup tabl...

by in Splunk Search
‎05-04-2022 06:19 AM
‎05-04-2022 06:19 AM
Thanks for the suggestions. Unfortunately both of these suggestions fail because of the time-series requirement (I'm trying to count the number of days in a given week that a user interacted with the system).  So when I add the append [|inputlookup ...] to the end of the search, the follow with a | stats max(*) as * by actor.email, _time, I get something like this: actor.email weekNumber department numDays ------------------------------------------------------------------------------ user1@company.com 0 Sales 0 user1@company.com 15 0 4 user1@company.com 16 0 3 user1@company.com 17 0 3   Since I want to have the count by actor.email and weekNumber how can I apply the department tag if the inputlookup doesn't have a matching weekNumber for every possible row? ... View more

How to count events for all users in a lookup tabl...

by in Splunk Search
‎05-03-2022 01:45 PM
‎05-03-2022 01:45 PM
I have a lookup table that lists all users along with their department like so:   email department --------------------------------------- user1@company.com Sales user2@company.com Engineering user3@company.com Accounting user4@company.com Sales user5@company.com HR     I also have an index that list events for a particular application. The index contains lots of fields, but for my purposes, I'm really only interested in _time and actor.email. My goal is to count the number of days per week every user in a given department logs events in the index even if that number is zero.  I can get pretty close to what I want with this search:   index=whatever <base search here> | lookup user.csv email as actor.email OUTPUT department | bin _time span=1d | search department="Sales" | stats count as numEvents by _time, actor.email | eval weekNumber = strftime(_time,"%U") | stats dc(_time) as numDays by actor.email, weekNumber | xyseries actor.email, weekNumber, numDays     The problem with this search is that if there is a user in the lookup table who returned zero events during that time frame, they won't appear in the results.  I considered trying to append [|inputlookup user.csv] to the search, but because my append doesn't include a _time field, I can't get everything to line up correctly.   How do I run a search for every user in the correct department in the lookup table and return zero events per week if they didn't interact with the system? ... View more
Labels

PAN-OS 9.1.1 Breaks Data Model?

by in All Apps and Add-ons
‎03-10-2020 07:54 PM
2 Karma
‎03-10-2020 07:54 PM
2 Karma
My network team upgraded our Palo Altos to 9.1.1 and it looks like Palo Alto may have changed the format of GlobalProtect logs... I'm no longer seeing activity in the data model matching the following search: | tstats summariesonly=t latest(log.event_id) AS latest_event, values(log.agent_message) AS log.agent_message, values(log.src_ip) AS log.src_ip count FROM datamodel="pan_firewall" WHERE nodename="log.system.globalprotect" groupby _time log.event_id log.user | rename log.* as * | search event_id="globalprotectportal-auth-succ" Essentially, all events matching the WHERE clause: nodename="log.system.globalprotect" stopped after the upgrade. Has anyone else seen this issue? Does anyone know if there's a fix for this in the works? ... View more

Re: Is CCURE add-on compatible with CCURE 9000

by in Splunk Enterprise Security
‎11-25-2019 10:00 AM
‎11-25-2019 10:00 AM
@richardphung: Would you mind sharing your DB query? I'm looking to set this up and am curious to know what you used... ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎05-09-2022 11:02 AM
Karma from
View All
Karma given to
View All