All Apps and Add-ons

Boss of SOC V1 dataset: Why am I having a problem finding an event that I know is there?

samlinsongguo
Communicator

Hi Everyone,

I am practicing the event and having problem doing search on the dataset. When I just search the answer, I can see the event, but when I use Splunk search query, the answer is not appearing for some reason.

Question:
What is the name of the file that defaced the imreallynotbatman.com website? Please submit only the name of the file with extension (For example "notepad.exe" or "favicon.ico")
Answer is poisonivy-is-coming-for-you-batman.jpeg
so if I just search poisonivy-is-coming-for-you-batman.jpeg it gives me two events
alt text

However when I do search sourcetype=suricata src_ip=192.168.250.70 | table url | search url=*batman* it does not give me that event and this happens to a lot of questions. Any suggestions of what is happening?
alt text


updated to mark code for you - dmj

0 Karma

mstjohn_splunk
Splunk Employee
Splunk Employee

Hi @samlinsongguo. Did either of the answers below solve your question? If yes, please click “Accept” directly below the answer to resolve the post. If not, please comment with more information if you are still having issues.

0 Karma

jstoner_splunk
Splunk Employee
Splunk Employee

I don't have a great answer for you at the moment... I have attached my searches of sourcetype suricata in two different ways and both ways return 133 events.

It is worth mentioning that when I run a search for poisonivy-is-coming-for-you-batman.jpeg, i get 10 events returned, but you are only getting two. I wonder if your dataset is not complete for some reason. The other thing that is odd is you are showing me the first and last event in your first search.

I wish I had a better answer for you but hopefully these couple of nuggets help steer you toward the expected output.

alt text

alt text

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Take a careful look at exactly what you are specifying in your search, especially the exact spelling of each field.

Review each of the results from your first search, look in those results for the fields that are spelled exactly like you spelled them, and see whether they exist and what values they contain.

If you do this carefully, you will see what mistake you made.

(We could tell you, but you will learn more by finding them yourself.)

0 Karma

samlinsongguo
Communicator

Hi DalJeanis
I am not quick get it it I triple checked the first search is "poisonivy-is-coming-for-you-batman.jpeg" and the second query is search sourcetype=suricata src_ip=192.168.250.70 | table url | search url=*batman* if you refer to the actual field is http.url I did the same search as well search sourcetype=suricata src_ip=192.168.250.70 | table http.url | search http.url=*batman* it have the same problem. plus I can see both field have the value.

0 Karma
Get Updates on the Splunk Community!

How I Instrumented a Rust Application Without Knowing Rust

As a technical writer, I often have to edit or create code snippets for Splunk's distributions of ...

Splunk Community Platform Survey

Hey Splunk Community, Starting today, the community platform may prompt you to participate in a survey. The ...

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...