Reporting

User activities in single query

SPLUNK111
New Member

HI Team,

I'm new to splunk..could 

How to check the different activities by listed users(ex: 10 users) from single query

1)password failure

2)Malware operations/malicious file

3)Traffic towards malicious public IP

4)Suspicious mail activity

Labels (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @SPLUNK111,

you question is just a little bit vague!

How can I help you without knowing which are the data where to extract fields and create searches?

Anyway, your approach should be:

  • analyze your data,
  • extract fields to use in all your searches (using regexes or the Interactive Field Extractor),
  • create one by one your searches answering to you use cases.

If you're new, the best approach is to follow the Splunk Fundamentals I course (https://www.splunk.com/en_us/training/free-courses/splunk-fundamentals-1.html) and the Splunk Search Tutorial (https://docs.splunk.com/Documentation/Splunk/8.1.0/SearchTutorial/WelcometotheSearchTutorial) to understand how to do the above activities.

In addition on YouTube you can find many videos about this.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Buttercup Games: Further Dashboarding Techniques (Part 7)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...