index=_internal source=*license_usage.log type=Usage | eval gb=round(b/1024/1024/1024,4) | stats sum(gb) as GB by host
0 comments
[0]
[0]
[0]
[0]
index=_internal sourcetype=splunkd HttpListener "Socket error from "
| rex "(?<errorLog>WARN\s+HttpListener\s.*?Socket error.*)"
| rex field=errorLog "WARN\s+HttpListener\s.*?Socket error from\s+(?<ip>[^ ]+)"
| rename ip as uf_ip
| stats earliest(_time) AS Earliest latest(_time) as Latest count by uf_ip host errorLog
| eval Earliest=strftime(Earliest,"%b %m, %Y %H:%M:%S")
| eval Latest=strftime(Latest,"%b %m, %Y %H:%M:%S")
| table Earliest Latest uf_ip errorLog count
| sort - count | rename Earliest as "First Seen", Latest as "Last Seen", uf_ip as "Source IP", errorLog as "Error Log", count as Count
0 comments
[0]
[0]
[0]
[0]