Splunk Search

Help with report creation please

GIA
Path Finder

hello I am pretty new using Splunk and I am being tasked to generate multiple of these kinds of reports in Splunk (original reports were from a SQL tool) 

I really need help in finding the right query for this. Especially how to include certain users and exclude others. 

your help is greatly appreciated!!

————-
* Collect all available log sources.

* Generate a report that shows Changes to System Sec Config events occurred on the previous day, grouped by source users. 

 

Format: .csv, List of events , table with subset of fields (User, Date/Time, Event, Group, oHost, Host (Impacted), oLogin, VendorMsgID, Domain Impacted), Grouped by User

Schedule: daily

Search window: -24 hours

Expiration: 30 days

 

# Technical Context

The following events are of interest

Vendor Message IDs - 4727, 4728, 4729, 4730, 4731, 4732, 4733, 4734, 4735, 4736, 4737, 4740, 4754, 4755, 4756, 4757, 4758, 4759, 4783, 4784, 4785, 4786, 4787, 4788, 4789, 4791, 631

AND User is NOT xxx, system, xxx, xxxx, xxxxx, 

AND User (Impacted) IS NOT (res group name) 

AND Host (Impacted) IS NOT %sc% (SQL PATTERN), %sd% (SQL PATTERN), ^sc.+, ^sd.+

Labels (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

I think you'll find you'll get more help from these forums if you show you've made some effort to solve the problem before posting.  Tell what query you've tried and how it didn't meet expectations.

SQL users new to SPL should see Splunk's SPL for SQL Users manual at https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/SQLtoSplunk

IMO, any requirement that calls for "all available log sources" hasn't been thought through enough.  It's a rare use case that needs every source; most will need specific sources.

We need to know more about the "report that shows Changes to System Sec Config events".  Splunk tracks its own config changes in the _configtracker index, but that information does not include user info.  If you refer to configs for other systems then please identify those systems.  Of course, those systems must be reporting info to Splunk.

The first step to creating a report is to create a search for the data that goes into that report.  Once that is producing the desired results, click on the "Save as" menu and select Report.  That is where you select the report format and schedule it.

The expiration time of a search/report must be set manually from the Jobs dashboard (Activity->Jobs).  IIRC, the maximum TTL is seven days.  The 30-day expiration date is too long and may use up the users' disk quota.

You can use the IN operator in the search command to filter message IDs and users.  SQL patterns are available using the like function within where and eval commands.  Use the table command to select fields for display and the stats command to group results.

index=foo VendorMsgID IN (4727, 4728, 4729, 4730, 4731, 4732, 4733, 4734, 4735, 4736, 4737, 4740, 4754, 4755, 4756, 4757, 4758, 4759, 4783, 4784, 4785, 4786, 4787, 4788, 4789, 4791, 631)
AND NOT User IN (xxx, system, xxx, xxxx, xxxxx)
AND User_Impacted != (res group name) 
| where NOT (match(Host_Impacted, "%sc%") OR match(Host_Impacted, "%sd%") OR match(Host_Impacted, "^sc.+") OR match(Host_Impacted, "^sd.+"))
| table User, _time, Event, Group, oHost, Host_Impacted, oLogin, VendorMsgID, Domain Impacted)
| stats values(*) as * by User

 

---
If this reply helps you, Karma would be appreciated.

GIA
Path Finder

Hello,

Thank you so much. The event IDs listed are all regarding changes to the system. This report would be the "report that shows Changes to System Sec Config events". Regarding all logs, we have identified the specific ones. 

I am running the query you suggested but it's not giving any results. No error messages. Thanks again! 🙂

index=foo eventid IN (4727, 4728, 4729, 4730, 4731, 4732, 4733, 4734, 4735, 4736, 4737, 4740, 4754, 4755, 4756, 4757, 4758, 4759, 4783, 4784, 4785, 4786, 4787, 4788, 4789, 4791, 631) 

| fields user, action, subject, ProcessName

| stats min(_time) as FirstEvent max(_time) as LastEvent count by user, _time, action, subject, ProcessName

AND NOT User IN (list_of_users )

AND User_Impacted != (AD_Group)

| where NOT (match(Host_Impacted, "sc") OR match(Host_Impacted, "sd") OR match(Host_Impacted, "^sc.+") OR match(Host_Impacted, "^sd.+"))

| table User, _time, EventID, Group, Host, Host_Impacted, Login, VendorMsgID, Domain Impacted)

| stats values(*) as * by User

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The query I provided was an example that must be customized for your environment.  At the very least, the index name "foo" must be changed to the name of the index that holds the event data.  The field names also may need to be changed.  Look at the events to see what is available to you.

---
If this reply helps you, Karma would be appreciated.

GIA
Path Finder
 

Hi, my apologies for not being more specific. The query I provided was modified for security reasons. I am indeed replacing the placeholders like "foo"  with the correct indexes, plus the rest of the required data( host names etc.) Thank you.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

One the query one pipe at a time (start with the first pipe and iteratively add the next) until you find the one that returns no results.  Share that command and we'll see if can figure out what's happening.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...