I have a number of individual records in Splunk all with a common field of X, which i'm trying to combine.
E.g
User-name=JG, srcIP=10.0.0.1
User-name=JG,file=jg.docx
User-name=JG, dstIP=10.1.1.0
User-name=JG,Email=jg#jg.com
User-name=AB, srcIP=10.0.0.2
User-name=AB,file=AB.docx
User-name=AB, dstIP=10.2.2.0
User-name=AB,Email=AB#AB.com
I want to do the following search: Group all the records which match by the User-name fields, and allow me to manipulate the fields.
E.g
USERNAE, srcIP, file, dstIP, Email
JG, 10.0.0.1, jg.docx, 10.1.1.0, jg#jg.com
AB, 10.0.0.2, AB.docx, 10.2.2.0, AB#AB.com
Thank you!
You can check out the stats command to do this:
your search
| stats latest(srcIP) as srcIP, latest(file) as file, latest(dstIP) as dstIP, latest(email) as email by User-name
You can then perform any operations you want to on these fields. The latest function will give you the latest value seen for srcIP/file etc. for that user name.
Related
I'm pretty new to KQL, and running into a problem trying to format my data in Azure Sentinel.
I have a query with these columns I'm interested in: Email and IP.
If I run something like summarize count() by Email, IP I get almost what I want, however in some cases, the email value will be the same, but could be coming from a different IP.
Is there a way to have the output formatted so it will show the email value, then under that, list all the IP count values associated with the email?
You can easily create a set (unique values) of IPs per Email
// Data sample generation. Not part of the solution.
let t = range i from 1 to 30 step 1 | extend Email = strcat("email_", tostring(toint(rand(3))), "#", dynamic(["gmail", "outlook", "hotmail"])[toint(rand(3))], ".com"), IP = strcat_delim(".", tostring(toint(rand(256))), tostring(toint(rand(256))), tostring(toint(rand(256))), tostring(toint(rand(256))));
// Solution starts here
t
| summarize make_set(IP) by Email
Email
set_IP
email_0#outlook.com
["22.0.72.237","32.17.234.224","84.232.201.220","181.161.231.252","121.190.204.101"]
email_1#gmail.com
["187.58.44.239","95.117.156.141","16.245.100.138"]
email_2#outlook.com
["154.46.54.212","178.139.208.204","204.197.11.160","160.96.246.141","173.141.14.145","100.35.29.216"]
email_0#gmail.com
["230.16.241.147","173.164.214.236","95.194.124.236","186.101.39.234"]
email_1#hotmail.com
["19.214.101.122","168.72.148.236"]
email_2#hotmail.com
["136.190.117.24","113.147.42.218","224.220.103.201"]
email_0#hotmail.com
["126.176.108.237","201.222.155.151"]
email_2#gmail.com
["132.67.147.234","2.101.57.210"]
email_1#outlook.com
["6.173.214.26","18.169.68.195","87.141.157.8"]
Fiddle
This is a relitively simple question regarding data loader. I'm currently running a query into our app that is pulling the 'last login' by a user for each account. As our app is not integrated with our SFDC I have to query the data, then manually upload the CSV file using data loader.
This particular field, 'Last Login', is on the account page. Long story short, the output of my query has some rows that will have the same account ID, but with different dates - most recent, and less recent. E.g. Two rows with same account ID. One 'Last Login' date is 7/30/18, and the other row (same account id) has a 'Last Login' date of 7/17/18.
See 'blue' delineated area.
Instead of manually deleting the row with the 'less recent' date, is there a way I can order the column in such a way (either descending or ascending) so that the field 'Last Login' field will populate with the 'most recent' date?
Essentially, if the record is the same, what is the order in which the org will ingest the data?
Thanks for your help!
-M
Data is inserted/updated in the order in which it appears in source file.
If you have update file like that:
Id,Name
00170000015Uemk,Some Name
00170000015Uemk,Some Different Name
The last option will "win". Note that this is behavio(u)r of the API access. In Apex doing something like that will crash & burn:
update new List<Account>{
new Account(Id = '00170000015Uemk', Name = '1'),
new Account(Id = '00170000015Uemk', Name = '2')
};
// System.ListException: Duplicate id in list: 00170000015UemkAAC
If you want to do it quick & dirty see if SELECT ... FROM Account ORDER BY Id, LastLoginDate ASC helps. It should sort multiple rows for same account together, but then sort by date in ascending order so most recent should "win".
But this sounds like you have a business rule to never overwrite a newer date with older one. So a validation rule maybe to reject bad rows? Something like
!ISBLANK(Date__c) && PRIORVALUE(Date__c) > Date__c
i have to first occurence of a particular event for the list of users in splunk.
eg: i have list of user say 10 from another query.
i am using below query to find date of first mail sent by customer 12345. How do i find the same for a list of customer that i get from another query?
index=abc appname=xyz "12345" "*\"SENT\"}}"|reverse|table _time|head 1
Try using stats.
index=abc appname=xyz "12345" "*\"SENT\"}}" | stats first(_time)
I should make a query in Access that have 4 criteria. If I Run this query by the structure view of the query it works. Then I built a form to insert the criteria in 4 text boxes and get more easy the use of the query. I create the form using the tutorial on the official site of microsoft 1; i tried first the query with only one text box and one criterium and it works; when I use 4 text box, following the tutorial, it doesn't work. The criterium that I use for each field in the query is the follow:
Switch(Not IsNull([Forms]![frmRICmp]![cod]),[Forms]![frmRICmp]![cod])
I tried to use also
IIf(IsNull([Forms]![frmRICmp]![cod]), Like "*", [Forms]![frmRICmp]![cod])
but also in this case it doesn't work.
can someone tell me the right instrtuction to use in the query's criteria
tnks
So if I gather correctly you need to perform a multi search where if any of the boxes are null you would like to return all the values. and more than one text box can be used simultaneously. TO do this you have to amend do the following.
Amend the Query Field (Note i'm referring to field and not criteria)
For the first Text Box Assuming name is COD and Field Name is also COD
If the Current field name is COD insert another field with the same name and amend to
[COD]=[Forms]![frmRICmp]![cod] OR [Forms]![frmRICmp]![cod] Is NULL
then in the criteria field use the following value
TRUE
For the second Text Box Assuming name is COD2 and Field Name is also COD2
If the Current field name is COD2 insert another field with the same name and amend to
[COD2]=[Forms]![frmRICmp]![cod2] OR [Forms]![frmRICmp]![cod2] Is NULL
then in the criteria field use the following value
TRUE
and continue the same process for all 4 text boxes.
I've 3 fields which contain only text. However, i want to add a calculated field which counts the number of commas in each of these 3 fields and displays it separately in the adjacent column. The snippet of SQL i use is shown below. How can i build the calculated field?
SELECT week, client_I, client_II, client_III
FROM quality_control_test;
Please advise!
well, you can "count" the number of a given character in a string, by using this:
length(c) - length(replace(c,',',''))
I'm assume you can figure out how to leverage that for your own query ;)