Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to use EVAL Concatenation within TSTATS?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
donaldwayne1975
Path Finder
03-12-2018
09:58 AM
Want to improve the TSTAT for the "Substantial Increase In Port Activity" correlation search.
| tstats allow_old_summaries=true count,values(All_Traffic.tag) as tag from datamodel=Network_Traffic.All_Traffic by All_Traffic.dest_port
| `drop_dm_object_name("All_Traffic")`
| xswhere count from count_by_dest_port_1d in network_traffic by dest_port is extreme
Was able to add the "action" field to determine if it was allowed or blocked with the below.
| tstats allow_old_summaries=true count,values(All_Traffic.tag) as tag from datamodel=Network_Traffic.All_Traffic where All_Traffic.action="allowed" by All_Traffic.dest_port All_Traffic.action
| `drop_dm_object_name("All_Traffic")`
| xswhere count from count_by_dest_port_1d in network_traffic by dest_port is extreme
I want to be able to use the EVAL to concatenate several fields and use the TIMECHART to determine the previous x days volume of the same traffic. I have tried the below, but it does not show results. Thoughts or suggestions for using the EVAL to concatenate within a TSTAT? Thank you in advance for your time.
| tstats allow_old_summaries=true count,values(All_Traffic.tag) as tag from datamodel=Network_Traffic.All_Traffic where All_Traffic.action="allowed" by All_Traffic.dest_port All_Traffic.action All_Traffic.dest_ip All_Traffic.src_ip
| `drop_dm_object_name("All_Traffic")`
| xswhere count from count_by_dest_port_1d in network_traffic by dest_port is extreme
| eval session= All_Traffic.src_ip."->".All_Traffic.dest_ip."/".All_Traffic.dest_port." was ".All_Traffic.action
| timechart span=1d limit=0 count by session
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
donaldwayne1975
Path Finder
03-12-2018
10:31 AM
Welp! results show up when you include _time. answering your own question... facepalm.gif
| tstats allow_old_summaries=true count,values(All_Traffic.dest_port) AS dest_port values(All_Traffic.action) AS action values(All_Traffic.dest_ip) AS dest_ip values(All_Traffic.src_ip) AS src_ip from datamodel=Network_Traffic.All_Traffic where All_Traffic.action="allowed" by _time,All_Traffic.dest_port, All_Traffic.action, All_Traffic.dest_ip, All_Traffic.src_ip
| `drop_dm_object_name("All_Traffic")`
| xswhere count from count_by_dest_port_1d in network_traffic by dest_port is extreme
| eval sessions = src_ip."->".dest_ip."/".dest_port." was ".action
| timechart span=1d limit=0 count by sessions
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
donaldwayne1975
Path Finder
03-12-2018
10:31 AM
Welp! results show up when you include _time. answering your own question... facepalm.gif
| tstats allow_old_summaries=true count,values(All_Traffic.dest_port) AS dest_port values(All_Traffic.action) AS action values(All_Traffic.dest_ip) AS dest_ip values(All_Traffic.src_ip) AS src_ip from datamodel=Network_Traffic.All_Traffic where All_Traffic.action="allowed" by _time,All_Traffic.dest_port, All_Traffic.action, All_Traffic.dest_ip, All_Traffic.src_ip
| `drop_dm_object_name("All_Traffic")`
| xswhere count from count_by_dest_port_1d in network_traffic by dest_port is extreme
| eval sessions = src_ip."->".dest_ip."/".dest_port." was ".action
| timechart span=1d limit=0 count by sessions
Get Updates on the Splunk Community!
Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1
Today’s threat landscape is more complex than ever. Security operation centers (SOCs) are overwhelmed with ...
Dashboards: Hiding charts while search is being executed and other uses for tokens
There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...
Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...
This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...
