Solved: How to search for several events with one unique i...

bugnet · ‎06-02-2019

Hi all,
I'm trying to find a query that returns all the following tag_name with the same "source" field:
misp-galaxy:continents="Asia"
misp-galaxy:targeted-region="Russia"
misp-galaxy:ransomware="Troldesh orShade, XTBL"

The tricky part is that I have to run the search on all my source files, where the source file is actually the single-valued identifier.
What I tried was something like this:

(index=misp-events source="/var/scripts/events/*" misp-galaxy:continents="Asia") AND (index=misp-events source="/var/scripts/events/*" misp-galaxy:targeted-region="Russia") AND (index=misp-events source="/var/scripts/events/*" misp-galaxy:ransomware="Troldesh orShade, XTBL")

martinpu · ‎06-02-2019

Not sure if I understood you correctly but try this:

 (index=misp-events source="/var/scripts/events/*") (misp-galaxy:continents="Asia" OR misp-galaxy:targeted-region="Russia" OR misp-galaxy:ransomware="Troldesh orShade, XTBL")

Lett me know if this doesnt help

View solution in original post

martinpu · ‎06-02-2019

Not sure if I understood you correctly but try this:

 (index=misp-events source="/var/scripts/events/*") (misp-galaxy:continents="Asia" OR misp-galaxy:targeted-region="Russia" OR misp-galaxy:ransomware="Troldesh orShade, XTBL")

Lett me know if this doesnt help

bugnet · ‎06-02-2019

Nop.

(index=misp-events source="/var/scripts/events/21283.json") (tag_name="misp-galaxy:continents="Asia"" OR tag_name="misp-galaxy:targeted-region="Russia"" OR tag_name="misp-galaxy:ransomware="Troldesh orShade, XTBL"")

How to search for several events with one unique identifier field?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life