Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Find unique values from a system across full p...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Find unique values from a system across full population
When doing a hunting exercise on a ethical hack system, I'm looking for an efficient way to find the unique breadcrumbs on this system compared to all the other systems in same timewindow.
Suppose the EH system 1 has processes A,B,C,D whereas all the systems have processes A,C,D,E,F,G,H....
The result I'm looking for is process=B which was only found on system 1.
Tried with subsearches / join etc but seem to run in circles.
All help is much appreciated. Since full population (except system 1) can be a very large dataset, it's important to make the SPL as efficient as possible.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You could try something like this (partially pseudo code, not pure SPL)
index=<your idx> <other search terms>
| stats count (process) as nProcess by host process
| where nProcess = 1This gives to you nodes where is unique process running.
r. Ismo
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Problem is that process occurs more than once on the target system hence nProcess=1 is not working.
index=x process_name=*
| stats count (process_name) as nProcess by host process_name | where nProcess = 1
| where host=y
gives zero results since all processes occur more than once on this host y
Dedup on "host process combination" is also not a good idea.
In pseudo sql language I would do
select dc(process) from index a where host=X and process not in (select dc(process) from index a where host !=X)
I tried following - but results are not consistent
Experiment on 2 hosts
2 rundll32.exe
1 iexplore.exe
1 net.exe
1 test.exe
1 rundll32.exe
So rundll32.exe is not unique since both host 1 and 2 have this value for process_name
index=A process_name=* host=1
NOT [search index=A host=2 process_name=*
| fields process_name]
| stats count by process_name
iexplore.exe | 6 |
net.exe | 2 |
test.exe | 4 |
The expected result... but... when extending this to full population except host 1 in the subquery
index=A process_name=* host=1
NOT [search index=A process_name=* host!=1
| fields process_name]
| stats count by process_name
iexplore.exe | 6 |
test.exe | 4 |
rundll32.exe | 2 |
Strangely enough rundll32.exe is still in the result but should have been removed since this process occured on host 1 and host 2 (and probably on numerous other hosts as well)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Give this a try
index=A host=X NOT [search index=A NOT host=X | stats count by process | table process]
| stats count by process | table process
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Observability Simplified: Combining User Experience, Application Performance & ...
Event Series May & June: From Network Visibility to Service Intelligence
