- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Multiple events from a specific system in a certai...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Splunkers,
I need your help on the following data set.
Index=auditbeat
host --> log source
command --> command run by host
_time --> _time
host1:
_time : 00.00:00 - 00.15:00 --> 15 min interval
commands run by host1 in time interval above (15 min) : ls, tar, sudo, whoami, cd, mkdir
host2:
_time : 00.00:00 - 00.15:00 --> 15 min interval
commands run by host2 in time interval above (15 min) : ls, rm, history, whoami, cd, mkdir
host3:
_time : 00.00:00 - 00.15:00 --> 15 min interval
commands run by host3 in time interval above (15 min) : ls, chown, chroot, whoami, cd, mkdir
I need to write a search which will look at each 15 min time interval, within EACH15 min time interval if any machine (host) run all these command 'whoami','chroot' and 'history', search will list the result as following
time interval -- host -- commands
Thanks for your help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
history is typically a built-in shell command, but assuming your log configuration captures all commands, including shell built-ins, you can use e.g.:
index=auditbeat
| bin _time span=15m
| stats values(command) as command by _time host
| search command=whoami command=chroot command=history
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks @tscroggins
"| search command=whoami command=chroot command=history" this line is looking all these commands are available in a time span( in our example 15 min) rigth?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Effectively, yes.
| bin _time span=15m
The bin command converts every time value to the prior 15 minute boundary. E.g. 00:01:01 => 00:00:00, 00:17:30 => 00:15:00, 00:32:00 => 00:30:00, and 00:59:35 => 00:45:00.
Note that binning _time in this way does not produce a rolling 15 minute window. For example, if chroot is executed at 00:59:59.999999 and whoami is executed at 01:00:00.000000, the commands will be binned into separate 15 minute intervals.
| stats values(command) as command by _time host
The stats command uses the values function to aggregate all distinct command values by _time (now binned into 15 minute buckets) and host. The resulting command field will be multi-valued, i.e. it will have one or more simultaneous values.
| search command=whoami command=chroot command=history
The search command looks for all events with command values of whoami, chroot, and history. Since command is now multi-valued, it can (and must) contain all of these values at the same time.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
history is typically a built-in shell command, but assuming your log configuration captures all commands, including shell built-ins, you can use e.g.:
index=auditbeat
| bin _time span=15m
| stats values(command) as command by _time host
| search command=whoami command=chroot command=history
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
