Solved: Filtering Log Results

seaed_ac · ‎09-29-2015

Hello everyone

I hope you guys can help me with this.
How can I filter the results of the following log entry example:

1   »  9/29/15
4:29:38.391 AM  
usn="50356463" time_stamp="2015-09-29 04:29:38.391 UTC" host_name="host" vapi_name="File Write" begin_time="2015-09-19 06:06:47.953 UTC" end_time="2015-09-19 06:06:47.953 UTC" caller_process_id="632" caller_process_name="C:/Windows/explorer.exe" parameter="E:/Sep.2015/Sicher_R5.pdf" user_name="user" ip_addr="192.168.2.107" file_size="0" param_device_id="USBSTOR\Disk&Ven_PI-239&Prod_USB_2.0_Drive&Rev_1.08\533237584A39414232303131&0"

I need to have a report that tells me a number of files copied while excluding:
- duplicated "parameter field"
- file size > 0
- exclude vapi_name="File Delete"

Can this be accomplished in a single report?

Thank s in advance

MuS · ‎09-29-2015

Hi seaed_ac,

you can run this search, which does what you want:

your base search here file_size>0 NOT vapi_name="File Delete" | timechart dc(parameter)

this will exclude vapi_name="File Delete" and fiel sizes of 0, finally it does a distinct count on parameter

Update:

This is the final search:

index=infosec sourcetype=sep_usb_logs file_size>0 NOT vapi_name="File Delete" | timechart dc(parameter) by user_name usenull=f useother=f

Hope this helps ...

cheers, MuS

View solution in original post

MuS · ‎09-29-2015

Hi seaed_ac,

you can run this search, which does what you want:

your base search here file_size>0 NOT vapi_name="File Delete" | timechart dc(parameter)

this will exclude vapi_name="File Delete" and fiel sizes of 0, finally it does a distinct count on parameter

Update:

This is the final search:

index=infosec sourcetype=sep_usb_logs file_size>0 NOT vapi_name="File Delete" | timechart dc(parameter) by user_name usenull=f useother=f

Hope this helps ...

cheers, MuS

seaed_ac · ‎09-29-2015

Hi there
Thank you for your answer
I do receive an error when running the search:
Error in 'file' command: This command must be the first command of a search.

My base search is:
index=infosec sourcetype=sep_usb_logs

What am I typing wrong?

MuS · ‎09-29-2015

run it like this:

index=infosec sourcetype=sep_usb_logs file_size>0 NOT vapi_name="File Delete" | timechart dc(parameter)

seaed_ac · ‎09-29-2015

That looks much better
Is it possible to list the final results by user_name?

If is not too much to ask. I am not a programmer

MuS · ‎09-29-2015

me neither 😉
Yes of course :

index=infosec sourcetype=sep_usb_logs file_size>0 NOT vapi_name="File Delete" | timechart dc(parameter) by user_name

seaed_ac · ‎09-29-2015

It shows a user_name "other" but when I click on the column SPlunk shows no data.
Any ideas?

MuS · ‎09-29-2015

next one:

index=infosec sourcetype=sep_usb_logs file_size>0 NOT vapi_name="File Delete" | timechart dc(parameter) by user_name usenull=f useother=f

and read about the timechart command here http://docs.splunk.com/Documentation/Splunk/6.3.0/SearchReference/Timechart

seaed_ac · ‎09-29-2015

I forgot to mentioned that as an average we could have about 13K logs within 24 hours

seaed_ac · ‎09-29-2015

It worked.
I have no idea from where do the user_name Other came from but I run a test and the numbers from the report match the logs.
Thank you very much for all your help and patience

Regards

Filtering Log Results

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation