Hello everyone
I hope you guys can help me with this.
How can I filter the results of the following log entry example:
1 » 9/29/15
4:29:38.391 AM
usn="50356463" time_stamp="2015-09-29 04:29:38.391 UTC" host_name="host" vapi_name="File Write" begin_time="2015-09-19 06:06:47.953 UTC" end_time="2015-09-19 06:06:47.953 UTC" caller_process_id="632" caller_process_name="C:/Windows/explorer.exe" parameter="E:/Sep.2015/Sicher_R5.pdf" user_name="user" ip_addr="192.168.2.107" file_size="0" param_device_id="USBSTOR\Disk&Ven_PI-239&Prod_USB_2.0_Drive&Rev_1.08\533237584A39414232303131&0"
I need to have a report that tells me a number of files copied while excluding:
- duplicated "parameter field"
- file size > 0
- exclude vapi_name="File Delete"
Can this be accomplished in a single report?
Thank s in advance
Hi seaed_ac,
you can run this search, which does what you want:
your base search here file_size>0 NOT vapi_name="File Delete" | timechart dc(parameter)
this will exclude vapi_name="File Delete"
and fiel sizes of 0
, finally it does a distinct count on parameter
Update:
This is the final search:
index=infosec sourcetype=sep_usb_logs file_size>0 NOT vapi_name="File Delete" | timechart dc(parameter) by user_name usenull=f useother=f
Hope this helps ...
cheers, MuS
Hi seaed_ac,
you can run this search, which does what you want:
your base search here file_size>0 NOT vapi_name="File Delete" | timechart dc(parameter)
this will exclude vapi_name="File Delete"
and fiel sizes of 0
, finally it does a distinct count on parameter
Update:
This is the final search:
index=infosec sourcetype=sep_usb_logs file_size>0 NOT vapi_name="File Delete" | timechart dc(parameter) by user_name usenull=f useother=f
Hope this helps ...
cheers, MuS
Hi there
Thank you for your answer
I do receive an error when running the search:
Error in 'file' command: This command must be the first command of a search.
My base search is:
index=infosec sourcetype=sep_usb_logs
What am I typing wrong?
run it like this:
index=infosec sourcetype=sep_usb_logs file_size>0 NOT vapi_name="File Delete" | timechart dc(parameter)
That looks much better
Is it possible to list the final results by user_name?
If is not too much to ask. I am not a programmer
me neither 😉
Yes of course :
index=infosec sourcetype=sep_usb_logs file_size>0 NOT vapi_name="File Delete" | timechart dc(parameter) by user_name
It shows a user_name "other" but when I click on the column SPlunk shows no data.
Any ideas?
next one:
index=infosec sourcetype=sep_usb_logs file_size>0 NOT vapi_name="File Delete" | timechart dc(parameter) by user_name usenull=f useother=f
and read about the timechart
command here http://docs.splunk.com/Documentation/Splunk/6.3.0/SearchReference/Timechart
I forgot to mentioned that as an average we could have about 13K logs within 24 hours
It worked.
I have no idea from where do the user_name Other came from but I run a test and the numbers from the report match the logs.
Thank you very much for all your help and patience
Regards