Hi, is it possible to search a field value and then count it for example first today and then add the count of the same from the week before ?  I checked this example: https://community.splunk.com/t5/Splunk-Search/search-a-value-in-previous-time-period-and-add-to-current-count/m-p/566121 and did a query like this   index=my_summary source="my_source" earliest=-1w@w | bucket span=1w _time | where Total_Requests > 10 AND Total_New_Services > 15 | stats values(info_min_time) as earliest values(info_max_time) as latest values(user) as user, values(Total_Requests) as Total_Requests, values(Service_Name) as Service_Name, values(Total_New_Services) as Total_New_Services by Account_Name _time | convert ctime(earliest) ctime(latest) | eventstats sum(Total_Requests) as Total_Requests_last7days sum(Total_New_Services) as Total_New_Services_last7days by Account_Name   only issue I see with my query is the _time values are different and the earliest & latest time values are different (its a summary index btw) but the Total_Requests, Total_Requests_last7days, Total_New_Services, Total_New_Services_last7days are as expected Any help would be appreciated, thank you!     ... View more

Hi.. I have a query that finds the values of service_name and service_name_count by user,Account_name .. I need to search for service_name_count>5 which is flagged as |eval flag1=new, and I need to exclude the history from the search using | join type=left user,Account_name [base query... earliest=-15d and latest=-7d].. . which is flagged as |eval flag2=history I need to search only for events | search flag1="New" NOT flag2="History"  Apart from these I need to find 1. Total count of new services (count the new services from all the requests that have at least 5 new services 2. Count the number of requests where each request have at least 5 new services These needs to be grouped by account_name user Please help me with any suggestions to find the above my sample code here:   index=test_index sourcetype=test_sourcetype | fields Service_Name Service_Name_Count Account_Name Account_Domain user Source_IP index sourcetype | stats earliest(_time) as earliest latest(_time) as latest values(Service_Name) as Service_Name values(Service_Name_Count) as Service_Name_Count values(Account_Name) as Account_Name values(Account_Domain) as Account_Domain values(Source_IP) as Source_IP values(index) as orig_index values(sourcetype) as orig_sourcetype by user | convert ctime(earliest) ctime(latest) | search Service_Name_Count > 5 | eval flag1="New", flag2="n.a." | join type=left Account_Name Service_Name [ search index IN (test_index2,test_index3) sourcetype=test_sourcetype2 EventCode=1234 earliest=-15d latest=-7d | fields Account_Name user Account_Domain Service_Name src_ip | rename src_ip as Source_IP | eval flag2="History"] | search flag1="New" NOT flag2="History" | table earliest latest Account_Name user Account_Domain Service_Name_Count Service_Name Source_IP flag1 flag2   Thanks in advance! ... View more

Hi, In my first search, I got all the details which needs to be displayed in the results but it doesn't have an IP field.. So, in my second search same index different category, has an IP fields and I try to join it using the user field. Both searches when run separately has results, but when using join it is not working.     index=A category=Requiredevents | rename required.user as user | fields user category identity time | join type=left user [| search index=A category=Requiredevents2 required.user=* required.ipaddress=* | rename required.user as user required.ipaddress as ipaddress | fields user ipaddress] | table user category identity time ipaddress     I also tried using stats like this, but it didn't work   (index=A category=Requiredevents) OR (| search index=A category=Requiredevents2 ) | rename required.user as user required.ipaddress as ipaddress | fields user category identity ipaddress time | stats count user category identity time ipaddress   Any help would be appreciated, thank you ... View more

Hi, I'm trying to join two searches where the first search includes a single field with multiple values. The matching field in the second search ONLY ever contains a single value. The search ONLY returns matches on the join when there are identical values for search 1 and search 2. In other words if search 1 has a field named id, and contains field1=a and field2=b and the second search contains field2=b, results aren't looking as expected The search will ONLY return results if search 1 contains a single value for field 1 Any suggestions on how to join a search with multiple values? ... View more

Does the network resolution datamodel includes both Outbound and Inbound DNS transfers? ... View more

Hi, I have a query which gives a table of results. Now instead of exporting the table, I need to export the raw events itself. How can I do that? Instead of exporting 9980 values, I need to export the whole 16882 events Any help would be appreciated! ... View more

Hey Splunkers, Can someone please help me with the logic, how can I finetune the search below to detect DNS tunnelling? The one here is too noisy.. or if a better SPL is available that can be used instead.     | tstats `security_content_summariesonly` dc("DNS.query") as count from datamodel=Network_Resolution where DNS.message_type=QUERY by DNS.src,DNS.query | rename DNS.src as src DNS.query as message | eval length=len(message) | stats sum(length) as length by src | append [ tstats `security_content_summariesonly` dc("DNS.answer") as count from datamodel=Network_Resolution where DNS.message_type=QUERY by DNS.src,DNS.answer | rename "DNS.src" as src "DNS.answer" as message | eval message=if(message=="unknown","", message) | eval length=len(message) | stats sum(length) as length by src ] | stats sum(length) as length by src | where length > 100     Thanks! ... View more

Hi, I have a list of hosts/devices say from HostA to HostZ (PS: its not  a lookup file) I want to find out which host among the list show up in the particular index, say Index=IndexA. Could someone help me on this? ... View more

Hi, Can someone please help me with a query to find Long DNS sessions?    ... View more

Hi, I have an SPL, which should exclude the ip values from 4 lookups. So i tried it with a subsearch approach. But this search takes a longer time than usual to run.  How can I optimize it?   index=a OR b action=* attack!=N/A NOT (( [| inputlookup a.csv | fields ip | rename ip as srcip]) OR ( [| inputlookup b.csv | fields ip | rename ip as src_ip]) OR ( [| inputlookup c.csv | fields ip | rename ip as src_ip]) OR ( [| inputlookup d.csv | fields ip | rename ip as src_ip])) | stats dc(attack) as dc_attack by src_ip | where dc_attack >2 | dedup src_ip     Thanks in advance! ... View more

Hi, I have a CS, which runs every 6mins looking back -65m and -5m.. It triggered a notable alert, where for the same dest value, it triggered ten notables in the same time 11.46pm........................... How much throttle time should I set to avoid this? Thankyou! ... View more

Hello, I am trying to join two searches for see, same hash exists on the other index as well. Below is my search, the issue is every time I run a search for the same timelimit, I see different results. WHY? Basesearch: I've tried to combine results of three different hash fields into one   (index=a sourcetype="a" (hash1=* OR hash2=* OR hash3=*)) | fields hash1, hash2, hash3 | table hash1, hash2, hash3 | eval hash=mvzip(mvzip('hash1','hash2',"|"),'hash3',"|") | fields hash | makemv hash delim="|" | mvexpand hash   From here, I've joined two indexes and both indexes have same field for hash files, so I'm attempting to join hash as the focus. Search seems to work fine   join type=left hash [| search (index=b sourcetype=b hashfile=*) OR (index=c sourcetype=c hashfile=*) | fields hashfile, filename,index | eval hash=hashfile]   Both the search on running individually returns 2k+ results, whereas on combining it, I could see only 1 result in the stats table and on hitting run for the same time limit every time I see different file name WHYYY? Any help would be appreciated, thanks! ... View more