https://community.splunk.com/t5/Reporting/need-help-Top-malware-suspicious-site/m-p/298011#M10046 <P>strange: in the default bcoat_proxysg extraction there are "action" and "http_referrer" (URL), I don't know what is "info".<BR /> Are you using the default App's sourcetype?<BR /> I used it, but rebuilding all dashboards because the old ones were created in extended XML (deprecated by Splunk).<BR /> Bye.<BR /> Giuseppe</P> Tue, 29 Sep 2020 12:51:24 GMT gcusello 2020-09-29T12:51:24Z https://community.splunk.com/t5/Reporting/need-help-Top-malware-suspicious-site/m-p/298008#M10043 <P>Hi People,</P> <P>I am using Bluecoat proxy at this time and I am trying to get the report based on Malicious/Suspicious. I am running below query. </P> <P>sourcetype=bluecoat* categories("Malicious" OR "Phishing" OR "Suspicious") | fields add - status, - action, - host | stats count by host | sort – host</P> <P>Raw log: </P> <P>Feb 14 06:31:42 Feb 14 14:31:41 ProxySG: 3B0002 2017-02-14 14:31:41 1 src=x.x.x.x status=403 action=TCP_DENIED 803 379 method=GET protocol=http host=adgebra.co.in port=80 path=/Spike/spike.js <A href="http://tamil.oneindia.com/news/tamilnadu/da-case-who-is-a4-ilavarasi-274085.html" target="_blank">http://tamil.oneindia.com/news/tamilnadu/da-case-who-is-a4-ilavarasi-274085.html</A> useragent=Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36 categories=Web Ads/Analytics;Suspicious 74.117.128.45(97306393) UNKNOWN_EVENT pe_policy_action_log_message.cpp 44</P> <P>How would I add URL info, action and status info into statistic result as those are not showing into default filed?</P> <P>Kind Regards,<BR /> Steave</P> Tue, 29 Sep 2020 12:51:18 GMT https://community.splunk.com/t5/Reporting/need-help-Top-malware-suspicious-site/m-p/298008#M10043 Steave4app 2020-09-29T12:51:18Z https://community.splunk.com/t5/Reporting/need-help-Top-malware-suspicious-site/m-p/298009#M10044 <P>Hi Steave4app,<BR /> to insert other fields in a stats command you can:</P> <UL> <LI>insert it after "by" clause using that field as key in stats,</LI> <LI>before count, inserting values(URL) AS URL values(info) AS info values(action) AS action. The problem is that, if you have many values, your report could be unreadable.</LI> </UL> <P>In addition remember that this App uses Summary indexes, so you have to insert these fields in GROUPBY clause in tstats command.</P> <P>Bye.<BR /> Giuseppe</P> Tue, 14 Feb 2017 15:00:57 GMT https://community.splunk.com/t5/Reporting/need-help-Top-malware-suspicious-site/m-p/298009#M10044 gcusello 2017-02-14T15:00:57Z https://community.splunk.com/t5/Reporting/need-help-Top-malware-suspicious-site/m-p/298010#M10045 <P>Hi Cusello,</P> <P>Happy to see you. </P> <P>I have done that but it is not working. Interesting this is, they things are not describing as field.</P> <P>status=403 action=TCP_DENIED 803 379 method=GET protocol=http host=adgebra.co.in port=80 path=/Spike/spike.js <A href="http://tamil.oneindia.com/news/tamilnadu/da-case-who-is-a4-ilavarasi-274085.html">http://tamil.oneindia.com/news/tamilnadu/da-case-who-is-a4-ilavarasi-274085.html</A> useragent=Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36 categories=Web </P> <P>So if they are not field, how would it work into stats count by query? </P> <P>Kind Regards,<BR /> Steave</P> Tue, 14 Feb 2017 15:20:33 GMT https://community.splunk.com/t5/Reporting/need-help-Top-malware-suspicious-site/m-p/298010#M10045 Steave4app 2017-02-14T15:20:33Z https://community.splunk.com/t5/Reporting/need-help-Top-malware-suspicious-site/m-p/298011#M10046 <P>strange: in the default bcoat_proxysg extraction there are "action" and "http_referrer" (URL), I don't know what is "info".<BR /> Are you using the default App's sourcetype?<BR /> I used it, but rebuilding all dashboards because the old ones were created in extended XML (deprecated by Splunk).<BR /> Bye.<BR /> Giuseppe</P> Tue, 29 Sep 2020 12:51:24 GMT https://community.splunk.com/t5/Reporting/need-help-Top-malware-suspicious-site/m-p/298011#M10046 gcusello 2020-09-29T12:51:24Z https://community.splunk.com/t5/Reporting/need-help-Top-malware-suspicious-site/m-p/298012#M10047 <P>You need to verify what fields have already been extracted. So, with your _raw event, look at the interesting fields and see what field (if any) the <A href="http://...html" target="test_blank">http://...html</A> value has been loaded into. </P> <P>If it has not been extracted into anything, then you will probably want to use a regex to load the URL data into a field that you can use the list aggregate command on. </P> <P>Here's one link to a thread that deals with that. <A href="https://answers.splunk.com/answers/93003/regex-for-url-parsing.html">https://answers.splunk.com/answers/93003/regex-for-url-parsing.html</A></P> Tue, 14 Feb 2017 16:06:26 GMT https://community.splunk.com/t5/Reporting/need-help-Top-malware-suspicious-site/m-p/298012#M10047 DalJeanis 2017-02-14T16:06:26Z