Splunk Search

Proper execution of subsearch help

kelie
Path Finder

So here is my existing query as it runs now

sourcetype=snort
[search sourcetype=snort 
|top limit=20 src| table src]
| stats count, values(signature) as Sigs by src
| sort -count
| lookup dnslookup clientip as src OUTPUT clienthost as DST_RESOLVED
| iplocation src
| fields src, count, Country, DST_RESOLVED, Sigs
| rename src as "Source IP", count as Count, DST_RESOLVED as "DNS Resolution", Sigs as Signatures

I am not the original builder of this query but I am editing it.

these are normalized snort logs. Id like to return the top 20 signatures by source, while displaying source (src), count, country,  dns rsolution (dnslookup) and signature (sigs)

There are signatures i want to completely exclude by (sig_id), and then there are signatures i would like to exclude where signature has specific src or cidr range. I seem to be creating unbalanced parenthesis when trying my boolean expressions or Wheres. Please assist

Labels (3)
0 Karma
1 Solution

to4kawa
SplunkTrust
SplunkTrust
sourcetype=snort
``` There is no need for sub-searching, since you end up searching for everything.```
| stats count, values(signature) as Sigs by src
| sort  20 - count
| lookup dnslookup clientip as src OUTPUT clienthost as DST_RESOLVED
| iplocation src
| fields src, count, Country, DST_RESOLVED, Sigs
| mvexpand Sigs
| search NOT [ | inputlookup Signatures.csv | rename Signatures as Sigs | format ]
``` exclude Sgnatures CSV ```
| rename src as "Source IP", count as Count, DST_RESOLVED as "DNS Resolution", Sigs as Signatures

View solution in original post

kelie
Path Finder

could you help me better understand the mvexpands ?

also i wouldnt need to import the signatures from a csv. 

kelie_0-1613970180199.png

 

0 Karma

to4kawa
SplunkTrust
SplunkTrust
| stats count, values(signature) as signature by src

This makes signature multi-values.  mvexpand separetes them to single rows.

It's going to everyone, but I can't make queries without logs.

0 Karma

to4kawa
SplunkTrust
SplunkTrust
sourcetype=snort
``` There is no need for sub-searching, since you end up searching for everything.```
| stats count, values(signature) as Sigs by src
| sort  20 - count
| lookup dnslookup clientip as src OUTPUT clienthost as DST_RESOLVED
| iplocation src
| fields src, count, Country, DST_RESOLVED, Sigs
| mvexpand Sigs
| search NOT [ | inputlookup Signatures.csv | rename Signatures as Sigs | format ]
``` exclude Sgnatures CSV ```
| rename src as "Source IP", count as Count, DST_RESOLVED as "DNS Resolution", Sigs as Signatures

View solution in original post

kelie
Path Finder

im sorry. i did not have the full query. this is the one as it runs now

 

sourcetype=snort
NOT (signature_id=129:7:1 OR signature_id=124:1:1 OR signature_id=142:1:1 OR signature_id=124:7:1 OR signature_id=129:18:1 OR signature_id=129:8:1)
[search sourcetype=snort (signature!="(spp_sip)*" (src_ip!=10.10.21.11 AND signature!="*POP3*") AND (src_ip!=10.108.246.111 OR 10.108.243.112 OR 10.108.243.113 OR 10.108.243.114 OR 10.108.243.115 OR 10.108.243.116) AND signature_id!=125:1:1)
|top limit=20 src| table src]
| stats count, values(signature) as Sigs by src
| sort -count
| lookup dnslookup clientip as src OUTPUT clienthost as DST_RESOLVED
| iplocation src
| fields src, count, Country, DST_RESOLVED, Sigs
| rename src as "Source IP", count as Count, DST_RESOLVED as "DNS Resolution", Sigs as Signatures

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!