topic Re: How to search the count of keywords for each individual event, not for all events? in Splunk Search

How to search the count of keywords for each individual event, not for all events?

adaam94 — Wed, 25 Nov 2015 23:04:22 GMT

How do I count the number of times keywords such as DROP, SELECT, FROM and WHERE appear for each event I have indexed? Looking at the HTTP header example I have, this is a single event. Is there an easy way to only count keywords from this as the searches I have used count all the keywords for all the events, but I only want a keyword count for each event.

"24455","POST","http://localhost:8080/tienda1/publico/pagar.jsp","HTTP/1.1","Mozilla/5.0 (compatible; Konqueror/3.5; Linux) KHTML/3.5.8 (like Gecko)","no-cache","no-cache","text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5","x-gzip, x-deflate, gzip, deflate","utf-8, utf-8;q=0.5, *;q=0.5","en","localhost:8080","close","103","application/x-www-form-urlencoded","JSESSIONID=12546061FC0154DC98FEC5A70E87F6B4","B1='; DROP TABLE usuarios; SELECT * FROM datos WHERE nombre LIKE '%","anom"

So for this example the answer should be 4. any suggestions?

Thanks

Re: How to search the count of keywords for each individual event, not for all events?

adaam94 — Thu, 26 Nov 2015 12:19:06 GMT

Re: How to search the count of keywords for each individual event, not for all events?

Richfez — Thu, 26 Nov 2015 12:55:10 GMT

adaam94,

I converted your comment to an answer so hopefully it can be accepted!

Re: How to search the count of keywords for each individual event, not for all events?

Richfez — Thu, 26 Nov 2015 13:13:21 GMT

I ran it to test and made a few tweaks:

index=* | eval mystring="24455,POST,http://localhost:8080/tienda1/publico/pagar.jsp,HTTP/1.1,Mozilla/5.0 (compatible; Konqueror/3.5; Linux) KHTML/3.5.8 (like Gecko),no-cache,no-cache,text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,/;q=0.5,x-gzip, x-deflate, gzip, deflate,utf-8, utf-8;q=0.5, ;q=0.5,en,localhost:8080,close,103,application/x-www-form-urlencoded,JSESSIONID=12546061FC0154DC98FEC5A70E87F6B4,B1='; DROP TABLE usuarios; SELECT FROM datos WHERE nombre LIKE '%,anom"
| rex max_match=0 field=mystring "(?<keywords>SELECT|UPDATE|INSERT|CREATE|ALTER|RENAME|WHERE|DROP)"
| eval amount=mvcount(keywords)
| table mystring, keywords, amount
| rename amount as "No. of Keywords"

And that returns keywords of DROP, SELECT and WHERE and a count of 3.

For your data, you won't likely need a lot of that:

sourcetype=blah eventtype=bleh my base search here ... 
| rex max_match=0 field=mystring "(?<keywords>SELECT|UPDATE|INSERT|CREATE|ALTER|RENAME|WHERE|DROP)"
| eval number_of_keywords=mvcount(keywords)

Give that a try and report back here to adaam94 on how it worked!