Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Proper execution of subsearch help

kelie
Path Finder
‎02-19-2021 03:42 PM

So here is my existing query as it runs now

sourcetype=snort
[search sourcetype=snort 
|top limit=20 src| table src]
| stats count, values(signature) as Sigs by src
| sort -count
| lookup dnslookup clientip as src OUTPUT clienthost as DST_RESOLVED
| iplocation src
| fields src, count, Country, DST_RESOLVED, Sigs
| rename src as "Source IP", count as Count, DST_RESOLVED as "DNS Resolution", Sigs as Signatures

I am not the original builder of this query but I am editing it.

these are normalized snort logs. Id like to return the top 20 signatures by source, while displaying source (src), count, country,  dns rsolution (dnslookup) and signature (sigs)

There are signatures i want to completely exclude by (sig_id), and then there are signatures i would like to exclude where signature has specific src or cidr range. I seem to be creating unbalanced parenthesis when trying my boolean expressions or Wheres. Please assist

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎02-19-2021 05:37 PM 
sourcetype=snort
``` There is no need for sub-searching, since you end up searching for everything.```
| stats count, values(signature) as Sigs by src
| sort  20 - count
| lookup dnslookup clientip as src OUTPUT clienthost as DST_RESOLVED
| iplocation src
| fields src, count, Country, DST_RESOLVED, Sigs
| mvexpand Sigs
| search NOT [ | inputlookup Signatures.csv | rename Signatures as Sigs | format ]
``` exclude Sgnatures CSV ```
| rename src as "Source IP", count as Count, DST_RESOLVED as "DNS Resolution", Sigs as Signatures

View solution in original post

Reply
Solved! Jump to solution

kelie
Path Finder
‎02-21-2021 09:06 PM

could you help me better understand the mvexpands ?

also i wouldnt need to import the signatures from a csv. 

kelie_0-1613970180199.png

 

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎02-22-2021 01:21 AM 
| stats count, values(signature) as signature by src

This makes signature multi-values.  mvexpand separetes them to single rows.

It's going to everyone, but I can't make queries without logs.

0 Karma
Reply
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎02-19-2021 05:37 PM 
sourcetype=snort
``` There is no need for sub-searching, since you end up searching for everything.```
| stats count, values(signature) as Sigs by src
| sort  20 - count
| lookup dnslookup clientip as src OUTPUT clienthost as DST_RESOLVED
| iplocation src
| fields src, count, Country, DST_RESOLVED, Sigs
| mvexpand Sigs
| search NOT [ | inputlookup Signatures.csv | rename Signatures as Sigs | format ]
``` exclude Sgnatures CSV ```
| rename src as "Source IP", count as Count, DST_RESOLVED as "DNS Resolution", Sigs as Signatures
Reply
Solved! Jump to solution

kelie
Path Finder
‎02-22-2021 12:16 PM

im sorry. i did not have the full query. this is the one as it runs now

 

sourcetype=snort
NOT (signature_id=129:7:1 OR signature_id=124:1:1 OR signature_id=142:1:1 OR signature_id=124:7:1 OR signature_id=129:18:1 OR signature_id=129:8:1)
[search sourcetype=snort (signature!="(spp_sip)*" (src_ip!=10.10.21.11 AND signature!="*POP3*") AND (src_ip!=10.108.246.111 OR 10.108.243.112 OR 10.108.243.113 OR 10.108.243.114 OR 10.108.243.115 OR 10.108.243.116) AND signature_id!=125:1:1)
|top limit=20 src| table src]
| stats count, values(signature) as Sigs by src
| sort -count
| lookup dnslookup clientip as src OUTPUT clienthost as DST_RESOLVED
| iplocation src
| fields src, count, Country, DST_RESOLVED, Sigs
| rename src as "Source IP", count as Count, DST_RESOLVED as "DNS Resolution", Sigs as Signatures

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

Introduction to Splunk AI

How are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. Lucky for ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Maximizing the Value of Splunk ES 8.x

Splunk Enterprise Security (ES) continues to be a leader in the Gartner Magic Quadrant, reflecting its pivotal ...