Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to filter results based on timeframe?

alexspunkshell
Contributor
‎09-25-2023 06:04 AM

In my search results, I am getting IP and user details.

I want to filter my search results if the same IP has been used by any user "*@xyz.com" in last 30 days.

 

alexspunkshell_0-1695646883290.png

 

Labels (3)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-25-2023 06:31 AM

Hi @alexspunkshell,

could you share your search?

anyway, you could run something like this:

<your_search>
| eval period=if(_time>now()-86400,"Last 24 hours","Previous")
| stats 
   dc(period) AS period_count 
   values(period) AS period
   latest(if(evalperiod="Last 24 hours",_time,"") AS latest_last_24_hours
   latest(if(evalperiod="Previous",_time,"") AS latest_previous
   BY IP user
| where period_count12 AND period="Previous"
| eval latest_previous=strftime(latest_last_24_hours,"%Y-%m-%d %H:%M:%S")
| table IP user latest_previous

Anyway, see my approach and adapt it to your requirements.

Ciao.

Giuseppe

Reply

alexspunkshell
Contributor
‎09-25-2023 06:36 AM

@gcusello 

index=test
eventType IN (security.threat.detected, security.internal.threat.detected)
|rename client.userAgent.rawUserAgent as User_Agent client.geographicalContext.city as Src_City client.geographicalContext.state as src_state client.geographicalContext.country as src_country displayMessage as Threat_Description signature as Signature client.device as Client_Device client.userAgent.browser as Client_Browser
| stats count min(_time) as firstTime max(_time) as lastTime by src_ip user Signature Threat_Description Client_Device eventType Src_Details Src_City User_Agent Client_Browser
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-25-2023 07:09 AM

Hi @alexspunkshell,

I don't understand the structure of your search,

anyway, the raw "| search NOT idp_user" requires something after the field, otherwise Splunk excludes only events with the string "idp_user".

like the following | search NOT idp_accountname IN (*idp*references*): you'll never have results and you cannot check it because you are working with the NOT operator.

You could modify the stats command using my approach and the following check:

index=test
| rex field=_raw "user (?<idp_user>\d+\S+)"
| search NOT idp_user=* NOT actor.alternateId="*idp*" eventType IN (security.threat.detected, security.internal.threat.detected)
| rex field=debugContext.debugData.url "\S+username\=(?<idp_accountname>\S+idp-references)"
| regex src_ip!="47.37.\d{1,3}.\d{1,3}" 
| search NOT idp_accountname IN ("*idp*references*")
|rename  client.userAgent.rawUserAgent as User_Agent client.geographicalContext.city as Src_City client.geographicalContext.state as src_state client.geographicalContext.country as src_country displayMessage as Threat_Description signature as Signature client.device as Client_Device client.userAgent.browser as Client_Browser
| strcat "Outcome Reason: " outcome.reason ", Outcome Result: " outcome.result Outcome_Details 
| strcat "Source Country: " src_country ", Source State: " src_state  Src_Details
| eval period=if(_time>now()-86400,"Last 24 hours","Previous")
| eventstats 
   dc(period) AS period_count 
   BY IP user
| stats 
   count 
   values(period_count) AS period_count 
   min(_time) as firstTime 
   max(_time) as lastTime 
   by src_ip user Signature Threat_Description Client_Device eventType Src_Details Src_City  Outcome_Details User_Agent Client_Browser outcome.reason
| where period_count=1
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `okta_threatinsight_suspected_passwordspray_attack_filter` 
| `okta_threatinsight_threat_detected_filter`

As I said, try to adapt the approach of my search to your.

Ciao.

Giuseppe

 

Reply

alexspunkshell
Contributor
‎09-25-2023 08:00 AM

@gcusello Thanks for your help.

 

I tried all the changes in the SPL too. However, period_count is showing 1.

Hence i am unable to filter in results.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-25-2023 08:02 AM

Hi @alexspunkshell,

if period_count=1 means that the event is present only before last 24 hours or inside last 24 hours, but not in both the periods.

Ciao.

Giuseppe

Reply

alexspunkshell
Contributor
‎09-25-2023 11:21 AM

@gcusello 

For all the results i am getting period_count=1. 

Whereas only a few IP are used my user="*@xyz.com*" in the last 30 days.

I want to particularly filter if, the IPs were used by user="*@xyz.com*".

 

0 Karma
Reply

alexspunkshell
Contributor
‎09-25-2023 11:25 AM

@gcusello  SPL Used

 

index=test
|rename  client.userAgent.rawUserAgent as User_Agent client.geographicalContext.city as Src_City client.geographicalContext.state as src_state client.geographicalContext.country as src_country displayMessage as Threat_Description signature as Signature client.device as Client_Device client.userAgent.browser as Client_Browser
| strcat "Outcome Reason: " outcome.reason ", Outcome Result: " outcome.result Outcome_Details  
| strcat "Source Country: " src_country ", Source State: " src_state  Src_Details | eval period=if(_time>now()-86400,"Last 24 hours","Previous")
| eventstats 
   dc(period) AS period_count 
   BY src_ip user
| stats 
   count 
   values(period_count) AS period_count 
   min(_time) as firstTime 
   max(_time) as lastTime 
   by src_ip user Signature Threat_Description Client_Device eventType Src_Details Src_City  Outcome_Details User_Agent Client_Browser outcome.reason

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-25-2023 11:29 PM

Hi @alexspunkshell,

please try this:

index=test
|rename  client.userAgent.rawUserAgent as User_Agent client.geographicalContext.city as Src_City client.geographicalContext.state as src_state client.geographicalContext.country as src_country displayMessage as Threat_Description signature as Signature client.device as Client_Device client.userAgent.browser as Client_Browser
| strcat "Outcome Reason: " outcome.reason ", Outcome Result: " outcome.result Outcome_Details  
| strcat "Source Country: " src_country ", Source State: " src_state  Src_Details | eval period=if(_time>now()-86400,"Last 24 hours","Previous")
| eval period=if(_time>now()-86400,"Last 24 hours","Previous")
| stats 
   count 
   dc(period) AS period_count 
   min(_time) as firstTime 
   max(_time) as lastTime 
   values(Signature) AS Signature
   values(Threat_Description) AS Threat_Description 
   values(Client_Device) AS Client_Device
   values(eventType) AS eventType
   values(Src_Details) AS Src_Details
   values(Src_City) AS Src_City
   values(Outcome_Details) AS Outcome_Details
   values(User_Agent) AS User_Agent
   values(Client_Browser) AS Client_Browser
   values(outcome.reason) AS outcome_reason
   by src_ip user 
| where period_count=1

You can debug your search deleting the last row.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...