Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can tables be used with top to display additional event fields

kelie
Path Finder
‎02-24-2021 04:13 PM

Goal is to return a table that displays the Top 10  (md5) hashes in  recorded alerts received over a 60 days period. 

So base search is :

 

index=cb eventtype=bit9_carbonblack_alert status=Resolved|top limit=10 md5

 

but for each returned result, id like to also show its filename and process_name

 

index=cb eventtype=bit9_carbonblack_alert status=Resolved |table md5 process_name observed_filename

 

 

 

 

 

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎02-25-2021 12:39 PM

Hi @kelie,

Your final query is not much different than mine, since you do not use UID it is better to remove it as an optimization. Below should give the same result;

index=cb eventtype=bit9_carbonblack_alert status=Resolved 
| stats values(process_name) as Process values(observed_filename) as Filename count as Hits BY md5 
| sort 10 -Hits 
| rename md5 as "MD5 Hash"
If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎02-25-2021 12:39 PM

Hi @kelie,

Your final query is not much different than mine, since you do not use UID it is better to remove it as an optimization. Below should give the same result;

index=cb eventtype=bit9_carbonblack_alert status=Resolved 
| stats values(process_name) as Process values(observed_filename) as Filename count as Hits BY md5 
| sort 10 -Hits 
| rename md5 as "MD5 Hash"
If this reply helps you an upvote and "Accept as Solution" is appreciated.
Reply
Solved! Jump to solution

kelie
Path Finder
‎02-25-2021 09:46 AM

with some tweaking i produced this

index=cb eventtype=bit9_carbonblack_alert status=Resolved 
|stats dc(unique_id) as UID count values(process_name) as Process values(observed_filename) as Filename BY md5 |sort 10 -count|fields md5 Process Filename count |rename md5 as "MD5 Hash" count as "Hits"

 im still new to splunk so critique as needed if not optimized. This query though does line up with the fields i needed and seems to align with a base + top limit search

0 Karma
Reply
Solved! Jump to solution

kelie
Path Finder
‎02-25-2021 07:51 AM

my base search with a top limit yields very different results see below

kelie_0-1614268014712.png

vs

index=cb eventtype=bit9_carbonblack_alert status=Resolved 
| sort 10 - md5
| table md5 process_name observed_filename

kelie_1-1614268211013.png

 vs

index=cb eventtype=bit9_carbonblack_alert status=Resolved 
|stats count values(process_name) as process_name values(observed_filename) as observed_filename by md5
| sort 10 - md5

kelie_2-1614268301897.png

 

0 Karma
Reply
Solved! Jump to solution

scelikok
SplunkTrust
SplunkTrust
‎02-24-2021 10:07 PM

Missing process_name or observed_filename fields does not effect the stats since they are not in group by side. They will be listed if any. 

That search will show top 10 count for md5 field and available extra fields if any.

If this reply helps you an upvote and "Accept as Solution" is appreciated.
Reply
Solved! Jump to solution

scelikok
SplunkTrust
SplunkTrust
‎02-24-2021 08:06 PM

Hi @kelie,

You can try with stats to see the details of hashes;

index=cb eventtype=bit9_carbonblack_alert status=Resolved 
|stats count values(process_name) as process_name values(observed_filename) as observed_filename by md5
| sort 10 - md5
If this reply helps you an upvote and "Accept as Solution" is appreciated.
Reply
Solved! Jump to solution

kelie
Path Finder
‎02-24-2021 09:58 PM

 

index=cb eventtype=bit9_carbonblack_alert status=Resolved 
|stats count values(process_name) as process_name values(observed_filename) as observed_filename by md5
| sort 10 - md5

 I wouldnt be able to rely on the above as the events do not always have a process_name or observed_name.  

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎02-24-2021 05:33 PM

The top command discards all fields except the ones in its arguments.  Try using sort, instead.

index=cb eventtype=bit9_carbonblack_alert status=Resolved 
| sort 10 - md5
| table md5 process_name observed_filename
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

kelie
Path Finder
‎02-24-2021 10:02 PM

 i have to include a top or even a count as i need the top 10 number of events by md5. the additional fields provide context for what the software is

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎02-25-2021 05:44 AM

The sort 10 command is the same as top 10, but doesn't throw away fields.  Try it.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top