Splunk Enterprise Security

Splunk ES - Troubleshooting Web Data Model

Motivator

We have ES up and running and I'm starting to review the various Security Domains and relevant dashboards/reports.

For Security Domain -- Network -- Web Center there is a widget of 'Events Over Time By Status' that when I send to a search returns values other than HTTP status codes (200, 401, etc).

I do a pivot of the web data model and select 'status' and 'sourcetype' and I see the pan:threat sourcetype from our Palo Alto logs included with values that do not correspond to HTTP status codes.

Where would, or how would I go about excluding the pan:threat sourcetype from either the search, or from 'status' altogether?

The search is as follows:

| `tstats` count from datamodel=Web.Web where * by _time,Web.status span=10m 
| timechart minspan=10m useother=`useother` count by Web.status 
| `drop_dm_object_name("Web")`
0 Karma
1 Solution

SplunkTrust
SplunkTrust

I'm tempted to modify the CS to exclude the PAN events.

| `tstats` count from datamodel=Web.Web where NOT sourcetype=pan:threat by _time,Web.status span=10m 
| timechart minspan=10m useother=`useother` count by Web.status 
| `drop_dm_object_name("Web")`
---
If this reply helps you, an upvote would be appreciated.

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

I'm tempted to modify the CS to exclude the PAN events.

| `tstats` count from datamodel=Web.Web where NOT sourcetype=pan:threat by _time,Web.status span=10m 
| timechart minspan=10m useother=`useother` count by Web.status 
| `drop_dm_object_name("Web")`
---
If this reply helps you, an upvote would be appreciated.

View solution in original post

0 Karma

Motivator

Thx Rich - worked perfectly

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!