Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can you do a data model search based on tstats and macros?

david_casey
Path Finder
‎08-06-2018 06:53 AM

Can you do a data model search based on a macro? Trying but Splunk is not liking it. It yells about the wildcards *, or returns no data depending on different syntax.

Base data model search:

| tstats summariesonly count FROM datamodel=Web.Web BY Web.url, Web.client_ip

The macro (coinminers_url) contains url patterns as follows:

"0aqpqdju.me" OR "0x1f4b0.com" OR "12finance.com" OR "1480876790.rsc.cdn77.org" OR "1beb2a44.space" OR "1q2w3.fun" OR "1q2w3.me"

The objective is to cross reference the macro for any matches in the Web data model and display the date/time and internal client IP that hit one (or more) matches from the macro list. These will be the clients that hit a known coinminer domain, which we maintain a list of based on a GitHub repo list. That list is quite large so a traditional search can take quite a while.

Suggestions?

0 Karma
Reply

DalJeanis
Legend
‎08-06-2018 07:24 AM

You can build a macro that will use the WHERE fieldname IN ("list","of","values") format. Per the docs, the below format should work with wildcards in the macro. https://docs.splunk.com/Documentation/Splunk/7.1.2/SearchReference/ConditionalFunctions

First try this with 3 values and see if it works...

 | tstats summariesonly count FROM datamodel=Web.Web BY Web.url, Web.client_ip 
    where Web.url IN ("0aqpqdju.me", "0x1f4b0.com",...)

If it works, then just build a macro that resolves to that whole second line.

... if you can't get the above working, then try this, but it will not work with wildcards... 

 | tstats summariesonly count FROM datamodel=Web.Web BY Web.url, Web.client_ip 
 | where in(Web.url ,"0aqpqdju.me", "0x1f4b0.com",...)
0 Karma
Reply

david_casey
Path Finder
‎08-06-2018 08:03 AM

Thanks D... No go unfortunately.

| tstats summariesonly count FROM datamodel=Web.Web BY Web.url, Web.client_ip where Web.url IN ("0aqpqdju.me", "0x1f4b0.com",...)

Error: Error in 'TsidxStats': Wildcards (*) are not supported in groupby fields

(FYI - The wildcards are being stripped in the above query when posted here.)

As to the second option it won't work. It has to contain the wildcards since the url can vary wildly.

Seems like this should be a simple pattern matching search against the DM.

Someone suggested using macros.conf and transforms.conf in another channel. Will give that a try.

0 Karma
Reply
Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...