Solved: How to hide some specific events from the search r... - Page 2

sreejith2k2 · ‎02-16-2017

On my search results, I need to hide some specific events from the output? Currently I am running a search to find if there are any credit card data available in the logs. I am using luhn lookup to fetch the results. But, this is creating 100's of false positive alerts a day. Mostly the false positive results are generated based on the session id or support id which we knows for sure, they are false positive.

As a solution, I have extracted the session id and support id and assigned it to a variable named CARD using regex. Then i have used that variable to check whether its a false positive or not? If false positive dont display the result.

Here is my logic, could you please correct my logic as it is not working?
Note: session id and support id is 18-20 alphanumeric. say u8956742397238567a. So if the digits matches PAN logic, then it will triggers the false positive alerts.

rex field=orig_raw "\sessiond_id:\s<[a-z]?(?\d+) [a-z]?>" | eval falsepositive = if (PAN == CARD, "0" ,"1") | where falsepositive = "0"

woodcock · ‎02-19-2017

Why not just do something like this:

index=*
| regex _raw = "(?\d{4}-\d{4}-\d{4}-\d{4})|\d{16}" 
| "rex max_match=0 "(?<PotentialCCN>(?\d{4}-\d{4}-\d{4}-\d{4})|\d{16})"
| table _raw "Support id" "Session id" And Any Other Field That Looks Like A CCN HERE
| mvexpand PotentialCCN
| eval FALSE_POSITIVE=case(PotentialCCN = 'Support id', 1,
                           PotentialCCN = 'Session id', 1,
                           ...,
                           true(), 0)
| search FALSE_POSITIVE=0

View solution in original post

How to hide some specific events from the search results?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor