Splunk Enterprise Security

Help with Query!

kiran331
Builder

Hello,

I'm trying to change the Correlation search 'Excessive Failed Logins' in ES by user, is there a option to exclude values with $. Most of the values I got are with $, when i try to use user!=*$, its showing error.

query i'm using :

| tstats summariesonly=true allow_old_summaries=true values(Authentication.tag) as "tag",dc(Authentication.src) as "src_count",dc(Authentication.dest) as "dest_count",count from datamodel=Authentication.Authentication where nodename=Authentication.Failed_Authentication by "Authentication.user" | rename "Authentication.app" as "app","Authentication.user" as "user" | where 'count'>=6 | eval tag=mvjoin(tag,"|") | rename "tag" as "orig_tag"

0 Karma
1 Solution

javiergn
SplunkTrust
SplunkTrust

Try this instead:

| tstats summariesonly=true allow_old_summaries=true values(Authentication.tag) as "tag",dc(Authentication.src) as "src_count",dc(Authentication.dest) as "dest_count",count from datamodel=Authentication.Authentication where nodename=Authentication.Failed_Authentication by "Authentication.user" | rename "Authentication.app" as "app","Authentication.user" as "user" | where 'count'>=6 AND NOT LIKE(user, "%$") | eval tag=mvjoin(tag,"|") | rename "tag" as "orig_tag"

The only change I made is:

| where 'count'>=6 AND NOT LIKE(user, "%$") 

EDIT:
The query above assumes you want to filter out users whose name ends with $. If you want contains or starts with, simply change the location of the % symbol or place the $ symbol it between two of them

View solution in original post

javiergn
SplunkTrust
SplunkTrust

Try this instead:

| tstats summariesonly=true allow_old_summaries=true values(Authentication.tag) as "tag",dc(Authentication.src) as "src_count",dc(Authentication.dest) as "dest_count",count from datamodel=Authentication.Authentication where nodename=Authentication.Failed_Authentication by "Authentication.user" | rename "Authentication.app" as "app","Authentication.user" as "user" | where 'count'>=6 AND NOT LIKE(user, "%$") | eval tag=mvjoin(tag,"|") | rename "tag" as "orig_tag"

The only change I made is:

| where 'count'>=6 AND NOT LIKE(user, "%$") 

EDIT:
The query above assumes you want to filter out users whose name ends with $. If you want contains or starts with, simply change the location of the % symbol or place the $ symbol it between two of them

kiran331
Builder

Thank you! It worked

0 Karma
Get Updates on the Splunk Community!

New Splunk Observability innovations: Deeper visibility and smarter alerting to ...

You asked, we delivered. Splunk Observability Cloud has several new innovations giving you deeper visibility ...

Synthetic Monitoring: Not your Grandma’s Polyester! Tech Talk: DevOps Edition

Register today and join TekStream on Tuesday, February 28 at 11am PT/2pm ET for a demonstration of Splunk ...

Instrumenting Java Websocket Messaging

Instrumenting Java Websocket MessagingThis article is a code-based discussion of passing OpenTelemetry trace ...