Quick snippet to evaluate temperature Fahrentheit to Celsius: | eval Temperature_Fahrenheit=Temperature_Celsius*1.8+32
Check your strftime is correct in the props.conf
A simple method on checking if your strftime (TIME_FORMAT=) in the props.conf matches your log file timestamp format. strftime(X,Y) This function takes a UNIX time value, X, as the first argument and renders the time as a string using the format specified by Y. The UNIX time must be in seconds. Use the first 10 […]
Remove Z or T string from your Timestamp
| rest /services/authentication/current-context | table username roles updated | search username!=splunk-system-user | rex field=updated (?<timestampA>\d{4}-\d{2}-\d+)T(?<timestampB>\d+:\d+:\d+.\d+) | eval timestamp= timestampA + timestampB | eval timestamp = strptime(timestamp, “%Y-%m-%d%H:%M:%S.%3N”) | eval timestamp=strftime(timestamp, “%c”) |fields – timestampA timestampB
Find passwords in User_Name field
This eval for password can be easily used for any field where a user can accidentally type in a password or even worse both username/password during login which generates a failed event. Below example is for Windows failed login. The eval will match 10 or more characters with 1 uppercase, 1 lower case, 1 […]
Convert Seconds to Hours Minutes Seconds HHMMSS
Take any field in splunk that outputs a value in seconds and change it to report in HH:MM:SS format: your.search.here | eval HHMMSS=tostring(Field_In_Seconds, “duration”) | table HHMMSS
