Splunk

47 readers
3 users here now

For all Splunk related questions and answers

founded 1 year ago
MODERATORS
1
2
 
 

So I'm using Enterprise Security and I've got a search string similar to this:

index=main | search username="admin" OR user="admin" | eval file_activity=if(isnull(file_activity), "unknown", file_activity) | stats count by _time, action, app, source,dest, host, Computer, Caller_User_Name, process_name, dest_asset, file_activity | eval _time=strftime(_time, "%Y-%m-%d %H:%M:%S") | fields _time, action, app, source, dest, host, Computer, Caller_User_Name, process_name, dest_asset, count, file_activity | sort - count

Now, that's great for pulling all the data in to the table. But when I go to add inputs to the panel to start narrowing this down, its just not working!

Is there some kind of mismatch with the name and the token name maybe? Or do I have to go create a whole data model and change this all to tstats?

3
 
 

Quick Copy Pasta Queries!