Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Using Cisco ACS command logging, find one line then a related line

splunkmduser
New Member
‎04-22-2015 09:29 AM

Cisco ACS logging find CmdAV=interface and then next successful command from same user with CmdAV=no CmdArgAV=shutdown CmgArgAV=. I've been using transaction, but don't seem to be able to figure out quite how to go about find this information.

Ultimately, I am trying to find out when a no shutdown command on an interface is successfully run - but I need to know the interface it was run on.

Thanks!

0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎04-23-2015 01:10 PM

splunkmduser,

I'm just guessing at an answer here, but perhaps this guess will either get you where you need to be or might at least help clarify the situation.

First, you have to make sure "interface" is an output field already. If it isn't already available, that's a different task to identify and output that (not terribly hard, but needs more info than what's given).

As long as you have that as an output field already, a possible transaction command may be something using the startswith= and endswith= parameters sort of like so:

mysearchhere | transaction startswith="CmdAv=interface" endswith="CmdAV=no AND CmdArgAV=shutdown AND CmdArgAv=." by user

Then, once you have the transaction set up - you could probably just pipe it to a table to make it pretty: | table _time, user, CmdArgV, interface or something similar.

See if that doesn't get you started!

0 Karma
Reply

splunkmduser
New Member
‎04-24-2015 10:38 AM

Thanks! That got me much closer. My reference material didn't indicate that I could specify a variable within the startswith and endswith command, much last AND two conditions.

That gives rise to even more questions.

How do I remove any transaction that contains CmdAV=shutdown? That is, a shutdown command was run before the no shutdown (CmdAV=no CmdArgAV=shutdown).

In a table, how do a show all values for a repeated variable? The interface command looks like this: CmdAV=interface CmdArgAV=Gigabit CmdArgAV=2/1. Repeating CmdArgAV in the table command does not give me all the arguments.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...