All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can I execute two Netwitness query sentence at the same time? how to configure this?

fish111
New Member
‎01-06-2019 10:52 PM

for example
query=select time,sessionid,ip.src,ip.dst,tcp.dstport where ioc='monero mining'
query=select time,sessionid,ip.src,ip.dst,tcp.dstport,tcp.srcport where ip.src=10.100.0.0/16

tks!

0 Karma
Reply

dflodstrom
Builder
‎03-26-2019 08:19 PM

To run a second NetWitness query using this app, netwitness_query, you can copy the nwsdk_query.conf file to a new file likenwsdk_query_dns.conf. Configure the query and last_mid_file values and then create a stanza for this file in inputs.conf. [script://./bin/nwsdk_query.py nwsdk_query_dns].

@rataide provided this answer in the comments, I only expanded on it slightly. There is no need to copy or modify the script.

0 Karma
Reply

rataide
Path Finder
‎01-08-2019 03:11 AM

An alternative solution is to just use an || (OR in NetWitness syntax) on the clause part of the query. Example:

query=select time,sessionid,ip.src,ip.dst,tcp.dstport,tcp.srcport where ip.src=10.100.0.0/16 || ioc='monero mining'

Hope these help!

Regards,

Rui

0 Karma
Reply

fish111
New Member
‎01-07-2019 05:59 AM

first .i copy nwsdk_query.conf and modify the query sentence as nwsdk_query2.conf in the same directory
second i copy nwsdk_query.py and modify the code which include config file, than i name it as nwsdk_query2
then create a new loca script which named $SPLUNK_HOME\etc\apps\netwitness_query\bin\nwsdk_query2.py ,everything got done

0 Karma
Reply

woodcock
Esteemed Legend
‎02-13-2019 06:50 PM

If this is the answer that worked best for you, you should click Accept to close the question and also UpVote any other comments or answers that helped you along.

0 Karma
Reply

rataide
Path Finder
‎01-08-2019 03:09 AM

Actually, you don't need a second python script in bin, you can just create an additional input stanza in inputs.conf and pass the new configuration file as a parameter. Example below:

[script://./bin/nwsdk_query.py nwsdk_query2]

[script://./bin/nwsdk_query.py myquery_ip]

etc... you can do this as many times as you need.

Reply

DalJeanis
Legend
‎01-07-2019 06:11 AM

@fish111 - Thanks for the description. We've updated the title of your question to have more information about what you were trying to achieve, and converted your comment to an answer.

You can "accept" your answer so the question will show as answered.

0 Karma
Reply

harishalipaka
Motivator
‎01-07-2019 01:17 AM

@fish111

try with append or appendpipe

Thanks
Harish
0 Karma
Reply

fish111
New Member
‎01-07-2019 05:41 AM

thanks for your answer,but i try another method ,and solve the problem.

0 Karma
Reply

DalJeanis
Legend
‎01-07-2019 05:48 AM

@fish111 - please write an answer describing how you solved the problem, and accept your answer. This will help future people who have similar questions.

Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...