You can add any additional string in the end of sort command and have zero effect. In your code example, the subsearch will return something equivalent to ( (ComputerName="computer1") OR (ComuterName="computer2") OR. You can verify this by removing the entire block. Why do you need that lookup? As written, the lookup is not affecting the results at all. Maybe you can start by explaining the logic of using that lookup. | table user, host, Subject_Security_ID -will need to add more here to get exactly what i need. | eval Subject_Security_ID = mvindex(Security_ID,0) | where Account_Domain=host -to keep local account lookups not including domain accounts. | search "Asset type / Class" = "Windows Server" Host is the default name in our splunk server for Windows event logs hostname so need to match that up. Then we rename and match up the key/column name in lookup csv file to internal Splunk value of "host" so all records will search as host so splunk doesnt get confused. I am needing to do a subsearch on the inputlookup file searching on a column called "Asset type." for only Windows server in this example. Wanted to reply back so everyone can see and understand the concept. Here is what i was looking for but i just need to modify the table outputs etc to clean it up. The last search wasn't what i was looking for, but i did get some internal support from a cross team member. | table _time ComputerName EventCode CreatedBy New_User name ip_address | eval New_User = mvindex(Account_Name,1) | eval CreatedBy = mvindex(Account_Name,0) Sourcetype=wineventlog source="WinEventLog:Security" (EventCode=4720 OR EventCode=624) Let me know what is right/wrong or reasons why to do either way? I have done extensive research on this and one article mentions to put in brackets after the main query, but then another article states to put in the inputlookup query as first string and remaining questions next. There are 2 columns im focused on in the csv, "name" and "fqdn". The query itself works, but i don't know if the input scope is being targeted for sure or what is the best practice method. OS scope would be Windows for now, however i will need to do this search on *NIX servers as well. I need to find out what new local accounts have been created AND who created them. The goal of the query is to perform a lookup on column A and B which is a list of hostnames and FQDN's that are the targeted scope to perform the extended lookup. An unexpected character is reached at ')'.Hello, I am stuck on a query and need someone's help please. Get-RegAlwaysInstallElevated Get-RegAlwaysInstallElevatedĮrror I get is: Error in 'eval' command: The expression is malformed. Set-MasterBootRecord Set-MasterBootRecord I needed to do this to see what strings were matching my powershell script blocks to weed out high false positive rates, but I keep getting a eval malformed error when I try to example above. These unstructured indexed data/logs are only categorised based on different sourcetypes and as you can see in the lookup csv file, each line shows the substring and it's corresponding sourcetype which needs to be searched. Just wondering if there's another method to expedite searching unstructured log files for all the values in my lookup csv file and return the stats/count/etc. As there are huge number of events and quite large number of substrings in the csv file, it takes ages to return the result. I run the above query (returning "Field-Substring" field) against some index data/events to count the number of occurrences of substrings. In my case, I have a structured data file like this:įield-ID,Field-SourceType,Field-SubstringĢ,sourcetype1,Another other text with WILDCARD * hereģ,sourcetype2,This is a different text for different sourcetype The solution is working fine but it uses a lot of resources when the number of rows in csv file and index size grow.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |