![]() ![]() I am sure its something simple I am missing. The filenames contain the source that we received the file from, and have a three digit sequence number as a suffix. We receive several hundred files per day from 20 different sources. Here is what the dashboard panel looks like. How to pass base search results to subsearch. The result of the subsearch is then used as an argument to the primary, or outer, search. A subsearch is a search that is used to narrow down the set of events that you search on. |stats count by ActionTaken, Status, _time |timechart span=1d count(Status) by ActionTaken | append | Version 4.2.1 of the Splunk Add-on for Microsoft Office 365 contains the following, if any, known issues: Customers will experience a delay in event ingestion after v4.2.0 due to KVstore performance on cloud architecture. In this section you will learn how to correlate events by using subsearches. Index=sophos sourcetype="sophos:threats" | regex FullFilePath!="eicar" | regex FullFilePath!="pagefile.sys" | eval _time=strptime(InsertedAt,"%Y-%m-%d %H:%M:%S.%N") |rename user as User |search (Status="Cleanable" OR Status="Not Cleanable" OR Status="Cleanup failed" OR Status="Threat type not cleanable") is the sub search. And I tried rex modesed fieldsearch 's/(field1field2)//g' at the end of subsearch, no luck. By itself its fine, the base search, then sub search misses one catagory, but when going to the search on that panel, the catagory is there in the chart. Use the subsearch two times should be a workaround, but if I want three or more, I believe there should be a solution. The query looks like such index'wineventlog' SourceWorkstation inputlookup test.csv fields 'Workstation Name' rename 'Workstation Name' as search. The issue I am experiencing is one of the panels is a graph for the desktop lead. I am trying to use a list from a CSV file to query results for that list, but I only get a result from the first row. Dashboard takes data from two products, gives a near real time refresh of status. I am trying to convert a Antivirus dashboard used by the desktop team to a base search, in hopes to improve performance and be less of a hit on the search heads. Hello, New to using base searches, and could not find the answer to my issue. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |