cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
redhonda03_2
Engager
Member since: ‎04-04-2022
2 weeks ago
Community Statistics
Posts 7
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎04-04-2022
Activity Feed
View All

Re: regex: list parent folder only

by in Splunk Search
‎03-29-2023 01:05 PM
‎03-29-2023 01:05 PM
Tom, Thank you for taking time to provide an alternate solution! I'll have to spend some time looking at PCRE regex rules to decipher how all this fits together. I've changed some of the content and some changes do not appear to make a difference, others alter the output, and other changes break the regex. Just when I think I have the basics down, something throws me curve. ... View more

Re: regex: list parent folder only

by in Splunk Search
‎03-28-2023 02:58 PM
‎03-28-2023 02:58 PM
Hi yeahnah, The eval option you suggested worked perfectly, thank you!  I'll make a note to leverage the eval command in situations like this. ... View more

How to write regex to list parent folder only?

by in Splunk Search
‎03-28-2023 02:14 PM
‎03-28-2023 02:14 PM
I'm attempting to determine what folders on a Windows server are being audited. I don't have access to the server to view the inputs.conf file and need to discover what folders are being accessed from the audit logs sent to Splunk. The field labeled FilePath shows the entire path to the file. I have not been successful in creating a regex query to extract only the top parent folder. Because the string value of FilePath contains the full path, I am trying to figure out how to display just the first folder of the entire folder path. index=win_servers Computer="Storage" | table FilePath | rex field=FilePath "^\\ (?<FilePath>[^\\ ]+)" The search above produces the results below after passing it to dedup. H:\Folder1\subfolder1\subfolder_A H:\Folder1\subfolder1\subfolder_B H:\Folder1\subfolder2\subfolder_A H:\Folder2\subfolder1\ H:\Folder2\subfolder2\subfolder_A H:\Folder2\subfolder3\subfolder_B H:\Folder3\subfolder1\ H:\Folder3\subfolder2\ H:\Folder4\subfolder1\ H:\Folder4\subfolder2\ The results I am looking for is to just show the following: H:\Folder1\ H:\Folder2\ H:\Folder3\ H:\Folder4\ ... I've looked at the following posts and haven't been able to successfully apply what is mentioned to my situation. https://community.splunk.com/t5/Splunk-Search/rex-regex-to-extract-first-folder-name-from-the-path/m-p/287508 https://community.splunk.com/t5/Splunk-Search/Regex-Source-and-Destination-files-with-path-filename-extension/m-p/271989 https://community.splunk.com/t5/Splunk-Search/Regex-to-match-string-between-2-strings/m-p/626758#M217834 Any help would be appreciated! ... View more
Labels

Re: Is there a way in Splunk to determine how a us...

by in Splunk Search
‎02-17-2023 12:45 PM
‎02-17-2023 12:45 PM
Hi Guiseppe, Regarding you questions, yes we have have web logs and yes they are being set to splunk. You mentioned "transaction keys", is this different that values listed in one of the 'interesting fields' listed in the Splunk search? ... View more

Is there a way in Splunk to determine how a user a...

by in Splunk Search
‎02-15-2023 12:05 PM
‎02-15-2023 12:05 PM
Is there a way in Splunk to determine how a user arrived at a destination IP? Did they click a link from a certain webpage, or did they go there directly? Another way to look at it is if there is a way to separate user activity from webpage activity. Websites automatically load advertisements and other content automatically within a second, or a very small time interval. Users on the other hand are scrolling, clicking on a link, then clicking on another link which takes a significantly longer amount of time. Being able to consolidate web page activity where dozens of destination addresses are accessed within 5 seconds into a single event where just the first record is shown would help to reduce the number of results returned when you're looking at a time window containing several thousand records. ... View more
Labels

How to restore original query from InfoSec dashboa...

by in Dashboards & Visualizations
‎05-24-2022 09:12 AM
‎05-24-2022 09:12 AM
Does anyone know where I can find a copy of the original query for the "Spike in DNS Traffic (Last Day)" panel? This panel is under the Infosec Dashboard, Advanced Threats, Network anomalies section.  We've been altering the search for that panel and need to revert back to original search query. Unfortunately no copy was made prior to making changes. ... View more
Labels

How to pivot from tstats data to a regular search?

by in Splunk Search
‎04-04-2022 12:37 PM
‎04-04-2022 12:37 PM
I don't know what the best way to word the subject, so if anyone has a better recommendation after reading my question below let me know what would be a better way to word the subject. I have access to several different security dashboards from the InfoSec app. I am trying to figure out how to pivot from the summarized data shown in the dashboard which uses tstats to the traditional Search & Reporting app where I can view events and click on items of interest to narrow down the search. One example is seeing an alert on a dashboard and when I open the search tstats only shows the source IP addresses. I'd like to see more information, such as a destination and other fields but tstats isn't designed to show information when you click on "events". This why I'd like to take the information from tstats and open up the Search and Reporting app so  I can scroll through the list of fields on the left and use that to help refine results. ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
2 weeks ago