Solved: Commands helps for search

DANITO115 · ‎10-20-2023

Good morning, I need to know what the exact search command is in order to see this parameter: Enter a search that returns all web application events that
contain a prohibited status (403)

gcusello · ‎10-20-2023

Hi @DANITO115,

did you followed the Splunk Search Tutorial (https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchTutorial/WelcometotheSearchTutorial)?

Anyway, this depends on the data type you want to search and if you already extracted the status field.

If you already extracted, you could simply use:

index=your_index status=403

if not, you have to extract it using a regex, but to help you in this a sample of your logs is required.

Otherwise, you can simply search the string 403

index=your_index 403

but you could have some false positive:

Ciao.

Giuseppe

View solution in original post

DANITO115 · ‎10-23-2023

ty This command help me a lot

gcusello · ‎10-20-2023

Hi @DANITO115,

did you followed the Splunk Search Tutorial (https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchTutorial/WelcometotheSearchTutorial)?

Anyway, this depends on the data type you want to search and if you already extracted the status field.

If you already extracted, you could simply use:

index=your_index status=403

if not, you have to extract it using a regex, but to help you in this a sample of your logs is required.

Otherwise, you can simply search the string 403

index=your_index 403

but you could have some false positive:

Ciao.

Giuseppe

Commands helps for search

distributed search

search head

search head clustering

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases