topic Re: Problem with values/list in subsearch in Splunk Search

Problem with values/list in subsearch

LuiesCui — Tue, 22 Sep 2015 07:32:27 GMT

Hi guys, I want to make a table with list in it with Splunk and I really need some help!
I got a IPS to analyse and to see which source ips some certain attacks were from. When I get an ipA from attackA, I would like to how many times ipA did the attackA, which destiny ips are influnced and by how many times, and is there any other attacks ipA does.
Here is my search line:

index="security" attName="$some certain attack name$"             
| stats count as c by src attName des     
| stats sum(c) as total list(des) as desips list(c) as LC by src
| join src [ search index="security"   
| stats values(attName) as otherAttack by src ]
| table src total desips LC otherAttack  
| sort -total

The table I expect to get is like:

     src    total    desips     LC   otherAttack
14.18.240.6   18  172.25.118.53  1  Adobe Reader And Acrobat Privilege Escalation Vulnerability
                  172.26.67.198  5  Microsoft Windows HTTP Services Integer Underflow Vulnerability
                  172.26.68.201  8
                  172.26.69.46   2
                  172.26.71.193  2

14.18.256.74  6   172.25.118.43  1  Adobe Reader And Acrobat Privilege Escalation Vulnerability
                  172.26.68.208  2
                  172.26.71.193  3

But what I really got was like:

     src    total    desips     LC   otherAttack
14.18.240.6   18  172.25.118.53  1  Adobe Reader And Acrobat Privilege Escalation Vulnerability Microsoft Windows HTTP Services Integer Underflow Vulnerability
                  172.26.67.198  5       
                  172.26.68.201  8
                  172.26.69.46   2
                  172.26.71.193  2

14.18.256.74  6   172.25.118.43  1  Adobe Reader And Acrobat Privilege Escalation Vulnerability
                  172.26.68.208  2
                  172.26.71.193  3

I found that if I put values/list in a subsearch, the values of the field values/list will be all put in one row. I tried "| stats delim="/n" values(attName) as otherAttack by src" and didn't work. How can we separate them in different lines in one cell?

Re: Problem with values/list in subsearch

woodcock — Tue, 22 Sep 2015 15:24:28 GMT

Try this:

index="security" attName="$some certain attack name$" | stats count as c by src attName des | stats sum(c) as total list(des) as desips list(c) as LC by src | join src [ search index="security" | stats values(attName) as otherAttack by src | mvexpand otherAttack ] | table src total desips LC otherAttack | sort -total

Re: Problem with values/list in subsearch

somesoni2 — Tue, 22 Sep 2015 15:47:18 GMT

Give this a stry

index="security" attName="$some certain attack name$"             
 | stats count as c by src attName des     
 | stats sum(c) as total list(des) as desips list(c) as LC by src
 | join src [ search index="security"   
 | stats values(attName) as otherAttack by src ]
| stats values(*) as * by src | table src total desips LC otherAttack | sort -total

Re: Problem with values/list in subsearch

LuiesCui — Thu, 24 Sep 2015 01:29:09 GMT

Thank you for your reply but it doesn't work. "Microsoft Windows HTTP Services Integer Underflow Vulnerability" just disappeared.

Re: Problem with values/list in subsearch

LuiesCui — Thu, 24 Sep 2015 01:30:10 GMT

Thank you for your reply but it doesn't work. The otherAttack column remains the same and some values of LC column gone.

Re: Problem with values/list in subsearch

LuiesCui — Thu, 24 Sep 2015 09:56:16 GMT

Can anybody help please?

Re: Problem with values/list in subsearch

HiroshiSatoh — Mon, 28 Sep 2015 06:05:22 GMT

Try this

index="security" attName="$some certain attack name$"             
 | stats count as c by src attName des     
 | stats sum(c) as total list(des) as desips list(c) as LC by src
 | join src [ search index="security" 
 | eval attName="<Delimit>"+attName
 | stats values(attName) as otherAttack by src ]
 | eval otherAttack=split(otherAttack,"<Delimit>")
 | table src total desips LC otherAttack  
 | sort -total

※”Delimit”, please replace any character.

Re: Problem with values/list in subsearch

LuiesCui — Mon, 28 Sep 2015 06:11:02 GMT

index="security" 
| eventstats values(attName) as att by src
| where attName="$some certain attack name$"
| stats count as c by src attName des att
| stats values(att) as atts by src attName des c
| stats sum(c) as total list(des) as desips  list(c) as LC values(atts) as otherAttack by src
| table src total desips LC otherAttack  
| sort -total

Solved by this search line without using "join".

Re: Problem with values/list in subsearch

LuiesCui — Mon, 28 Sep 2015 06:45:30 GMT

Thank you for your reply. The result of this search line is pretty interesting because some of them are separated while some of them aren't. I have no idea how this happens but still thank you!

Re: Problem with values/list in subsearch

LuiesCui — Mon, 28 Sep 2015 07:05:16 GMT

I see. "Delimit" cannot be replaced by ";", but "!","+","-",","and"."works!