Solved: How to edit my search to plot time ranges for host...

Blu3fish · ‎03-20-2017

I'm trying to create a search that'll visualize when a network scan is being run against a particular target. To do this I'm extracting a start and stop time based on a target and unique job (since job #'s can be reused). I want there to be a solid representation of this scan window so I'm trying to mark a single event by linking the start/stop times to the unique target + job.

Sample start event:

[Mon Mar 20 21:15:45 2017][21243.5571392][JOB_NAME=f2cd71ab-fd0c-5d94-ae5f-b3974cd790ed-2383424/Chunk 101.][JOB_UUID=baff3d9a-4b13-cec6-d8b8-02b8307599c4b95da7ea96b5cb5d] user admin : testing 10.69.47.124 (10.69.47.124) [5571406]

Sample stop event:

[Mon Mar 20 21:20:58 2017][21243.5571406][JOB_NAME=f2cd71ab-fd0c-5d94-ae5f-b3974cd790ed-2383424/Chunk 101.][JOB_UUID=baff3d9a-4b13-cec6-d8b8-02b8307599c4b95da7ea96b5cb5d] Finished testing 10.69.47.124. Time : 313.03 secs

I'm able to achieve an approximation of the results I'm after using this search paired with an area chart, stack mode: not stacked, and connecting null values:

index=test sourcetype=testd testing
| rex field=_raw "user admin : testing (?\S+).*?\((?\S+)\).+?"
| eval target=coalesce(target_host,target_ip)
| rex field=_raw "Finished testing (?\S+).*? Time : (?\S+?)\s+"
| rex mode=sed field=target "s/\.$//g"
| search target=10.69.47.124
| stats c as "Scan Window" by _time, target
| xyseries _time,target,"Scan Window"

This works for short time ranges but if I broaden the time range to include additional times this host may have been scanned, the resulting chart displays the initial start time and the final stop time (essentially merging and displaying multiple scan windows into one).

I've been able to create a table showcasing the data I'm trying to visualize with a chart but I'm not sure what the next step would be:

index=test sourcetype=testd testing
| rex field=_raw "user admin : testing (?\S+).*?\((?\S+)\).+?"
| rex "^[^/\n]*/\w+\s+(?P\d+)"
| eval target=coalesce(target_host,target_ip)
| rex field=_raw "Finished testing (?\S+).*? Time : (?\S+?)\s+"
| rex mode=sed field=JOB_NAME "s/\/.*//g"
| rex mode=sed field=target "s/\.$//g"
| search target=10.69.47.124
| bin _time
| stats earliest(_time) as start, latest(_time) as stop by target,JOB_NAME,chunk 
| convert ctime(start) ctime(stop)

woodcock · ‎03-20-2017

You just need to consider the JOB_UUID field, too, like this:

index=test sourcetype=testd testing
| rex "\[JOB_UUID=(?<JOB_UUID>[^\]]+)\]"
| rex "user admin : testing (?<target_host>\S+).*?\((?<target_ip>\S+)\).+?"
| eval target=coalesce(target_host,target_ip)
| rex "Finished testing (?<target>\S+).*? Time : (?<time>\S+?)\s+"
| rex mode=sed field=target "s/\.$//g"
| search target=10.69.47.124
| eval target=JOB_UUID . "/" target
| stats c as "Scan Window" by _time, target
| xyseries _time target "Scan Window"

View solution in original post

woodcock · ‎03-20-2017

You just need to consider the JOB_UUID field, too, like this:

index=test sourcetype=testd testing
| rex "\[JOB_UUID=(?<JOB_UUID>[^\]]+)\]"
| rex "user admin : testing (?<target_host>\S+).*?\((?<target_ip>\S+)\).+?"
| eval target=coalesce(target_host,target_ip)
| rex "Finished testing (?<target>\S+).*? Time : (?<time>\S+?)\s+"
| rex mode=sed field=target "s/\.$//g"
| search target=10.69.47.124
| eval target=JOB_UUID . "/" target
| stats c as "Scan Window" by _time, target
| xyseries _time target "Scan Window"

How to edit my search to plot time ranges for hosts based on start/stop events?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!