Kelly Hamm
- Total activity 9
- Last activity
- Member since
- Following 0 users
- Followed by 0 users
- Votes 0
- Subscriptions 0
Activity overview
Latest activity by Kelly Hamm-
Kelly Hamm commented,
Hi, assuming this is the intact multiline message you've posted: | parse "message=*%" as perc | where perc>=85 | count by _sourceName set that up in a scheduled search, choose your timeframes an...
-
Kelly Hamm commented,
Hi David- how about something like this? If you're using a parsed field from the data set other than the sumo reserved _messagetime that's not epoch, you can put that in there and remove the format...
-
Kelly Hamm commented,
Hi Saad- if you're using Field Extractions you could have a query like this: _SourceCategory=Win* dest_user=zz* | count by dest_user because the field is preparsed with FER, you could use it in t...
-
Kelly Hamm commented,
Hi Will- you can add a WHERE clause using either the country_code or country_name after the lookup: | count by src_ip | lookup latitude, longitude, country_code, country_name from geo://default on...
-
Kelly Hamm commented,
Hi Sepehr- yep, you'll to encode the query, an easy way to test this is to take your query and encode it with something like this: http://meyerweb.com/eric/tools/dencoder/ for instance, a query li...
-
Kelly Hamm commented,
Hi Mark- How about sending via syslog from proofpoint to a sumo syslog source on a collector? https://www.youtube.com/watch?v=qPOgaXB6xBw https://help.sumologic.com/Send_Data/Sources/Syslog_Source
-
Kelly Hamm commented,
Hi MB- I would basically start with my search to create my initial scope, then use a simple where after the fact to break that scope out into my separate subtables I want to join: _sourcecategory...
-
Kelly Hamm commented,
Hi Will- how about this? | parse regex "(?\d+\.\d+\.\d+\.\d)\s", "user_id=*\"" as user
-
Kelly Hamm commented,
Hi; In my experience, Pie charts work best with normalizing your multiple fields into a single field, and do a count by type from there. Basically, in your case i used a regex multi to parse out ...