Can't translate timestamp from non-standard field ...

ZimmermanC1 · ‎07-28-2020

I am working with linux auditd data

The first search is below which pulls together all of the applications executed by a user during the duration of their session

index=os sourcetype=auditd NOT exe=/usr/sbin/crond
| transaction ses startswith=USER_START endswith=USER_END 
| rename hostname AS src
| eval in_time=_time
| eval login_time=strftime(in_time,"%d-%b-%Y %H:%M:%S.%3N") 
| eval out_time=_time + duration 
| eval logout_time=strftime(out_time,"%d-%b-%Y %H:%M:%S.%3N")
| search src=$field2$ auid=$field3$ host=$field4$
| table login_time,logout_time,duration,src,host,uid,auid,exe,key

The drilldown looks like this, which take the host, & originating user name from the first search and finds all command line executions that user performed.

index=os sourcetype=auditd host=$field4$ 
| `find_commands` 
| transaction timestamp 
| search auid=$field2$ type=EXECVE 
| table timestamp,host,ppid,pid,auid,uid,command,proc_command,success 
| sort timestamp

Where I am struggling is to get the timestamp from the login_time and logout_time fields from the first search to populate the timestamp picker of the drill down.

Dashboard Source

<form>
  <label>Linux Auditd</label>
  <description>User session monitoring and the applications they ran</description>
  <fieldset submitButton="true">
    <input type="time" token="field1">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="text" token="field2">
      <label>Source System</label>
      <default>*</default>
    </input>
    <input type="text" token="field4">
      <label>Target System</label>
      <default>*</default>
    </input>
    <input type="text" token="field3">
      <label>Source User</label>
      <default>*</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Session Monitoring</title>
      <table>
        <search>
          <query>index=os sourcetype=auditd NOT exe=/usr/sbin/crond
| transaction ses startswith=USER_START endswith=USER_END 
| rename hostname AS src
| search src=$field2$
| eval in_time=_time
| eval login_time=strftime(in_time,"%d-%b-%Y %H:%M:%S.%3N") 
| eval out_time=_time + duration 
| eval logout_time=strftime(out_time,"%d-%b-%Y %H:%M:%S.%3N")
| search auid=$field3$ host=$field4$
| table login_time,logout_time,duration,src,host,uid,auid,exe,key</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <drilldown>
          <link target="_blank">search?q=index%3Dos%20sourcetype%3Dauditd%20host%3D$field4$%20%7C%20%60find_commands%60%20%7C%20transaction%20timestamp%20%7C%20search%20auid%3D$field2$%20type%3DEXECVE%20%7C%20table%20timestamp%2Chost%2Cppid%2Cpid%2Cauid%2Cuid%2Ccommand%2Cproc_command%2Csuccess%20%7C%20sort%20timestamp&amp;earliest=$row.login_time$&amp;latest=$row.logout_time$</link>
        </drilldown>
      </table>
    </panel>
  </row>
</form>

richgalloway · ‎07-28-2020

AFAIK, you can't set the time picker in a drilldown that way. It's OK, though, since the earliest and latest settings in the search override the time picker. Just make sure the values for row.login_time and row.logout_time are valid as arguments to earliest and latest.

---
If this reply helps you, Karma would be appreciated.

Can't translate timestamp from non-standard field into drilldown search

drilldown

.conf23 Registration is Now Open!

Don't wait! Accept the Mission Possible: Splunk Adoption Challenge Now and Win ...

Unify Your SecOps with Splunk Mission Control