Reporting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Filtering Log Results

seaed_ac
Explorer
‎09-29-2015 02:17 PM

Hello everyone

I hope you guys can help me with this.
How can I filter the results of the following log entry example:

1   »  9/29/15
4:29:38.391 AM  
usn="50356463" time_stamp="2015-09-29 04:29:38.391 UTC" host_name="host" vapi_name="File Write" begin_time="2015-09-19 06:06:47.953 UTC" end_time="2015-09-19 06:06:47.953 UTC" caller_process_id="632" caller_process_name="C:/Windows/explorer.exe" parameter="E:/Sep.2015/Sicher_R5.pdf" user_name="user" ip_addr="192.168.2.107" file_size="0" param_device_id="USBSTOR\Disk&Ven_PI-239&Prod_USB_2.0_Drive&Rev_1.08\533237584A39414232303131&0"

I need to have a report that tells me a number of files copied while excluding:
- duplicated "parameter field"
- file size > 0
- exclude vapi_name="File Delete"

Can this be accomplished in a single report?

Thank s in advance

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎09-29-2015 02:22 PM

Hi seaed_ac,

you can run this search, which does what you want:

your base search here file_size>0 NOT vapi_name="File Delete" | timechart dc(parameter)

this will exclude vapi_name="File Delete" and fiel sizes of 0, finally it does a distinct count on parameter

Update:

This is the final search:

index=infosec sourcetype=sep_usb_logs file_size>0 NOT vapi_name="File Delete" | timechart dc(parameter) by user_name usenull=f useother=f

Hope this helps ...

cheers, MuS

View solution in original post

Reply
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎09-29-2015 02:22 PM

Hi seaed_ac,

you can run this search, which does what you want:

your base search here file_size>0 NOT vapi_name="File Delete" | timechart dc(parameter)

this will exclude vapi_name="File Delete" and fiel sizes of 0, finally it does a distinct count on parameter

Update:

This is the final search:

index=infosec sourcetype=sep_usb_logs file_size>0 NOT vapi_name="File Delete" | timechart dc(parameter) by user_name usenull=f useother=f

Hope this helps ...

cheers, MuS

Reply
Solved! Jump to solution

seaed_ac
Explorer
‎09-29-2015 02:34 PM

Hi there
Thank you for your answer
I do receive an error when running the search:
Error in 'file' command: This command must be the first command of a search.

My base search is:
index=infosec sourcetype=sep_usb_logs

What am I typing wrong?

0 Karma
Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎09-29-2015 02:40 PM

run it like this:

index=infosec sourcetype=sep_usb_logs file_size>0 NOT vapi_name="File Delete" | timechart dc(parameter)
0 Karma
Reply
Solved! Jump to solution

seaed_ac
Explorer
‎09-29-2015 02:45 PM

That looks much better
Is it possible to list the final results by user_name?

If is not too much to ask. I am not a programmer

0 Karma
Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎09-29-2015 02:49 PM

me neither 😉
Yes of course :

index=infosec sourcetype=sep_usb_logs file_size>0 NOT vapi_name="File Delete" | timechart dc(parameter) by user_name
0 Karma
Reply
Solved! Jump to solution

seaed_ac
Explorer
‎09-29-2015 02:59 PM

It shows a user_name "other" but when I click on the column SPlunk shows no data.
Any ideas?

0 Karma
Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎09-29-2015 03:00 PM

next one:

index=infosec sourcetype=sep_usb_logs file_size>0 NOT vapi_name="File Delete" | timechart dc(parameter) by user_name usenull=f useother=f

and read about the timechart command here http://docs.splunk.com/Documentation/Splunk/6.3.0/SearchReference/Timechart

0 Karma
Reply
Solved! Jump to solution

seaed_ac
Explorer
‎09-29-2015 03:00 PM

I forgot to mentioned that as an average we could have about 13K logs within 24 hours

0 Karma
Reply
Solved! Jump to solution

seaed_ac
Explorer
‎09-29-2015 03:10 PM

It worked.
I have no idea from where do the user_name Other came from but I run a test and the numbers from the report match the logs.
Thank you very much for all your help and patience

Regards

0 Karma
Reply
Get Updates on the Splunk Community!

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to Officially Supported Splunk ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI! Discover how Splunk’s agentic AI ...