Splunk Search

How to write a search to show events that do not meet transaction requirements?

Fleshwriter
Explorer

Hello,

I am trying to find a way to show events which are not meeting transaction requirements. So of course I can't use |transaction. I was thinking to use eval if or case, but I would be grateful for help. What I've got is:

index=abc host=server
source="C:\\...\\Logs\\ex*"
OR source="C:\\...\\cmdout1.log"
OR source="C:\\...\\cmdout2.log"

created OR encrypt

|rex "(?:(?<date_cre>\d{4}\-\d{2}\-\d{2} \d{2}\:\d{2}\:\d{2}).*|(?:(?<encry>encrypt)\.cmd\s))(?<FileN>\d{5}\-\w\-\w\-\d{5}\-\d{8}\-\d{2}\-\d)(?:.*\nStarted at\: (?<date_enc>[ \/0-9\:]*))?"
|stats values(*) as * by FileN
|table data_cre FileN encry date_enc

All works fine, but from results, I'd like to get rid of some events. Rule would be: ignore if "created" and "encrypt" matches FileN. That way, I would see only those files that didn't make it to the "encryption" step, which means error for those files.

Thanks,
- F.

0 Karma
1 Solution

Fleshwriter
Explorer

Yeah i'm bloody idiot... It was soooo simple, almost like somesoni2 suggested.
I wanted to post it yesterday, but Karma didn't let me post more than 2 each day.

|rex "(?:(?<date_cre>\d{4}\-\d{2}\-\d{2} \d{2}\:\d{2}\:\d{2}).*|(?:(?<encry>encrypt)\.cmd\s))(?<FileN>\d{5}\-\w\-\w\-\d{5}\-\d{8}\-\d{2}\-\d)(?:.*\nStarted at\: (?<date_enc>[ \/0-9\:]*))?"
 |stats values(*) as * by FileN
 |eval processed=if(match(date_enc, "\d"), "Yep", "Nope")
 |table data_cre FileN processed date_enc
 |search processed="Nope"

Because date_enc always have first digit, i can easy check on it. And if file didn't made it to the encryption step, field "date_enc" is empty. To find error files i only needed to search for it. Thanks for help anyway 🙂

View solution in original post

0 Karma

Fleshwriter
Explorer

Yeah i'm bloody idiot... It was soooo simple, almost like somesoni2 suggested.
I wanted to post it yesterday, but Karma didn't let me post more than 2 each day.

|rex "(?:(?<date_cre>\d{4}\-\d{2}\-\d{2} \d{2}\:\d{2}\:\d{2}).*|(?:(?<encry>encrypt)\.cmd\s))(?<FileN>\d{5}\-\w\-\w\-\d{5}\-\d{8}\-\d{2}\-\d)(?:.*\nStarted at\: (?<date_enc>[ \/0-9\:]*))?"
 |stats values(*) as * by FileN
 |eval processed=if(match(date_enc, "\d"), "Yep", "Nope")
 |table data_cre FileN processed date_enc
 |search processed="Nope"

Because date_enc always have first digit, i can easy check on it. And if file didn't made it to the encryption step, field "date_enc" is empty. To find error files i only needed to search for it. Thanks for help anyway 🙂

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Give this a try

 index=abc host=server source="C:\\...\\Logs\\ex*" OR source="C:\\...\\cmdout1.log" OR source="C:\\...\\cmdout2.log" 
 created OR encrypt  | eval type=if(match(_raw,"created"),"created","encrypt")
 |rex "(?:(?<date_cre>\d{4}\-\d{2}\-\d{2} \d{2}\:\d{2}\:\d{2}).*|(?:(?<encry>encrypt)\.cmd\s))(?<FileN>\d{5}\-\w\-\w\-\d{5}\-\d{8}\-\d{2}\-\d)(?:.*\nStarted at\: (?<date_enc>[ \/0-9\:]*))?"
 |stats values(*) as * by FileN | where mvcount(type)=1
 |table data_cre FileN encry date_enc type
0 Karma

DMohn
Motivator

Can you please post an example of an event you want to discard? Especially the value of the FileN field would be interesting, as this is the one you want to compare with your search strings.

0 Karma

Fleshwriter
Explorer

There are two events. One is "created", which says file was created in system correctly, and second is "encrypt", which says file was processed correctly. As you can see, i've made a table out of it. As final result, i want table not to show those rows, which have encrypt event matched.

In events below "90004-K-P-60721-01-30430489-14" is FileN, and it occurs in both "created" and "encrypt".

Event #1 "encrypt" - this i want to hide
Command: c:(cut)_pgp_encrypt.cmd 90004-K-P-60721-01-30430489-14.zip.end \(cut)\plpic
... 3 lines omitted ...
(cut)
... 21 lines omitted ...
C:(cut)>if on == on echo Thu 07/28/2016- 8:30:08.91 OK - launch "c:(cut)pgp_encrypt.cmd" 90004-K-P-60721-01-30430489-14.zip.end \(cut)\script-072816-083008-15583.log
... 45 lines omitted ...
0x1419A3FE:encrypt ( (cut) )
\(cut)\90004-K-P-60721-01-30430489-14.zip:encrypt ( (cut) \OUT\90004-K-P-60721-01-30430489-14.zip.pgp)

Event #2 "created"
2016-07-28 06:24:24 80.55.107.10 - (cut) [2035]created /90004-K-P-60721-01-30430489-14.fwd.pgp - 226 - 218196 - 22

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...