Re: Creating Dashboard/Tables

chungmp · ‎06-05-2014

Thank you for coming by a few weeks ago.

I am trying to create Dashboard for failed login- however since we are getting data from multiple sources, i.e. syslog, CEF, etc.. we don’t have the same fields in the results.

For example- I am trying to create a table that display failed login results for all sshd processes (and they come from different type of sources- ie. Some may have suser field, some may not, and what I have realized is that the result will only display those with “src shost dvc dvchost suser duser msg”, where the fields are empty it will omit them. Hence I am missing events.

dproc=sshd categoryOutcome=/Fail*|top 20 categoryOutcome src shost dvc dvchost suser duser msg

I hope I make sense. Please let me know if you have any questions/what I need to change?

somesoni2 · ‎06-05-2014

Try with updated answer.

chungmp · ‎06-05-2014

Thank you!!

There is a line w/ all N/A values, except for time- I added _time, which i believe is my own searches in splunk. How can I get rid of that?

somesoni2 · ‎06-05-2014

Try something like this:
UPDATED

dproc=sshd categoryOutcome=/Fail* (categoryOutcome=* OR src=* OR shost=* OR dvc=* OR dvchost=* OR suser=* OR duser=* OR msg=*)| eval categoryOutcome=coalesce(categoryOutcome ,"NA") | eval  src=coalesce(src ,"NA")  | eval shost=coalesce(shost ,"NA")  | eval dvc=coalesce(dvc ,"NA")  | eval dvchost=coalesce(dvchost ,"NA")  | eval suser=coalesce(suser ,"NA")  | eval duser=coalesce(duser ,"NA")  | eval msg=coalesce(msg ,"NA") 
|top 20 categoryOutcome src shost dvc dvchost suser duser msg

OR

 dproc=sshd categoryOutcome=/Fail* (categoryOutcome=* OR src=* OR shost=* OR dvc=* OR dvchost=* OR suser=* OR duser=* OR msg=*)| table categoryOutcome src shost dvc dvchost suser duser msg
| fillnull value="NA"
    |top 20 categoryOutcome src shost dvc dvchost suser duser msg

This will replace unavailable fields with values "NA", so that all events will get listed.

Give this a try

dproc=sshd categoryOutcome=/Fail* | eval shouldInclude=if(isnull(categoryOutcome) AND isnull(src) AND isnull(shost) AND isnull(dvc) AND isnull(dvchost) AND isnull(suser) AND isnull(duser) AND isnull(msg),"No","Yes") | where shouldInclude="Yes" | fillnull value="N/A" |top 20 categoryOutcome src shost dvc dvchost suser duser msg

chungmp · ‎06-09-2014

Yes, I did... I actually took out categoryOutcome and replaced with _time
dproc=sshd categoryOutcome=/Fail (src= OR shost= OR dvc= OR dvchost= OR suser= OR duser= OR msg=*)| table _time src shost dvc dvchost suser duser msg
| fillnull value=("NA" OR "")
|top 20 _time src shost dvc dvchost suser duser msg

somesoni2 · ‎06-05-2014

How are you getting the _time column? I am not seeing that being used in your query.

chungmp · ‎06-05-2014

Also, The results displays a row that says "NA" for all fields and one of them says "None", which I modified | fillnull value=("NA" OR "None"), but then I got missing results - i.e. some results disappeared that was there before if I just have | fillnull value="NA"

chungmp · ‎06-05-2014

Thank you! I tried that and it works however, now I get a line with "" for all fields, except time column. I also tried:| fillnull value=("NA" OR "") but didn't help (please see below). Thanks!

dproc=sshd categoryOutcome=/Fail* (categoryOutcome=* OR src=* OR shost=* OR dvc=* OR dvchost=* OR suser=* OR duser=* OR msg=)| table categoryOutcome src shost dvc dvchost suser duser msg
| fillnull value=("NA" OR "")
|top 20 categoryOutcome src shost dvc dvchost suser duser msg

Creating Dashboard/Tables

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?