Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why can I not see events from tstats?

HathMH
Path Finder
‎06-22-2022 01:57 PM

First of all I am new to cyber, and got splunk dumped in my lap. I am really trying to get knowledgeable on it but
1) I am horrible with coding and apparently that includes Regex
2) Long lines of code or search strings is like sensory overload to me

That being said, I am trying to clean up our alerts as we are getting bogged down daily with well over 3k alerts that could most likely be expunged. Many of our alerts are based on tstat search strings. It shows a great report but I am unable to get into the nitty gritty. For example, the brute force string below, it brings up a Statistics table with various elements (src, dest, user, app, failure, success, locked) showing failure vs success counts for particular users who meet the criteria in the string. 

My issue, I try to click on a user, choose view events, brings up new search with a modified string (of course) but still only shows tstats table, but with different headers (action, src, det, user, app, count, failure, success). 

What I would like to do is when I click to choose view event for a particular user, it actually shows me that even and correlating log input. Is this possible? Why would I want an brute force alert if I cannot narrow down to the events, especially the failure logins?

Again, please have mercy, I am entry level and still learning splunk. I love the apps and abilities it has but using the search box is like i lost all my intelligence.


The brute force search

| tstats `summariesonly` values(Authentication.app) as app,count from datamodel=Authentication.Authentication by Authentication.action, Authentication.src, Authentication.dest, Authentication.user
| `drop_dm_object_name("Authentication")`
| search user!=unknown user!=SYSTEM app!=splunkd_remote_searches src!=MWG* user!=TWC-*
| eval success=if(action="success",count,0),failure=if(action="failure",count,0)
| stats values(dest) as dest, values(user) as user, values(app) as app, sum(failure) as failure, sum(success) as success by src
| join user [search index=top_wineventlog EventCode=4740 | eventstats count(user) as locked_count by user | dedup user, host | table user, locked_count]
| search failure>30 success>0
| where failure>success

 

Labels (2)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-22-2022 11:57 PM

Hi @HathMH,

tstats is a command that works on indexed fields, this means that you cannot access the row data (for more infos see at https://docs.splunk.com/Documentation/Splunk/9.0.0/SearchReference/Tstats ).

Usually when an alert is created (I suppose that you're using ES) there's also a drilldown search created just to access the row data.

If you haven't you can create a search that use as filter your tstats rule, something like this:

index=* [ 
   | tstats `summariesonly` values(Authentication.app) as app,count from datamodel=Authentication.Authentication by Authentication.action, Authentication.src, Authentication.dest, Authentication.user
   | `drop_dm_object_name("Authentication")`
   | search user!=unknown user!=SYSTEM app!=splunkd_remote_searches src!=MWG* user!=TWC-*
   | eval 
    success=if(action="success",count,0),failure=if(action="failure",count,0)
   | stats values(dest) as dest, values(user) as user, values(app) as app, sum(failure) as failure, sum(success) as success by src
   | join user [search index=top_wineventlog EventCode=4740 | eventstats count(user) as locked_count by user | dedup user, host | table user, locked_count]
   | search failure>30 success>0
   | where failure>success 
   | fields dest user app src ]

Ciao.

Giuseppe

Reply

HathMH
Path Finder
‎06-23-2022 06:18 AM

Thank you, I tried that and it errors out. I may play around with that index=* [] and see what happens

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-23-2022 06:20 AM

Hi @HathMH,

ok, tell me if you solved and please accept the answer for the other people of Community or otherwise, telle me how to help you.

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...