Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Proper execution of subsearch help

kelie
Path Finder
‎02-19-2021 03:42 PM

So here is my existing query as it runs now

sourcetype=snort
[search sourcetype=snort 
|top limit=20 src| table src]
| stats count, values(signature) as Sigs by src
| sort -count
| lookup dnslookup clientip as src OUTPUT clienthost as DST_RESOLVED
| iplocation src
| fields src, count, Country, DST_RESOLVED, Sigs
| rename src as "Source IP", count as Count, DST_RESOLVED as "DNS Resolution", Sigs as Signatures

I am not the original builder of this query but I am editing it.

these are normalized snort logs. Id like to return the top 20 signatures by source, while displaying source (src), count, country,  dns rsolution (dnslookup) and signature (sigs)

There are signatures i want to completely exclude by (sig_id), and then there are signatures i would like to exclude where signature has specific src or cidr range. I seem to be creating unbalanced parenthesis when trying my boolean expressions or Wheres. Please assist

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎02-19-2021 05:37 PM 
sourcetype=snort
``` There is no need for sub-searching, since you end up searching for everything.```
| stats count, values(signature) as Sigs by src
| sort  20 - count
| lookup dnslookup clientip as src OUTPUT clienthost as DST_RESOLVED
| iplocation src
| fields src, count, Country, DST_RESOLVED, Sigs
| mvexpand Sigs
| search NOT [ | inputlookup Signatures.csv | rename Signatures as Sigs | format ]
``` exclude Sgnatures CSV ```
| rename src as "Source IP", count as Count, DST_RESOLVED as "DNS Resolution", Sigs as Signatures

View solution in original post

Reply
Solved! Jump to solution

kelie
Path Finder
‎02-21-2021 09:06 PM

could you help me better understand the mvexpands ?

also i wouldnt need to import the signatures from a csv. 

kelie_0-1613970180199.png

 

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎02-22-2021 01:21 AM 
| stats count, values(signature) as signature by src

This makes signature multi-values.  mvexpand separetes them to single rows.

It's going to everyone, but I can't make queries without logs.

0 Karma
Reply
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎02-19-2021 05:37 PM 
sourcetype=snort
``` There is no need for sub-searching, since you end up searching for everything.```
| stats count, values(signature) as Sigs by src
| sort  20 - count
| lookup dnslookup clientip as src OUTPUT clienthost as DST_RESOLVED
| iplocation src
| fields src, count, Country, DST_RESOLVED, Sigs
| mvexpand Sigs
| search NOT [ | inputlookup Signatures.csv | rename Signatures as Sigs | format ]
``` exclude Sgnatures CSV ```
| rename src as "Source IP", count as Count, DST_RESOLVED as "DNS Resolution", Sigs as Signatures
Reply
Solved! Jump to solution

kelie
Path Finder
‎02-22-2021 12:16 PM

im sorry. i did not have the full query. this is the one as it runs now

 

sourcetype=snort
NOT (signature_id=129:7:1 OR signature_id=124:1:1 OR signature_id=142:1:1 OR signature_id=124:7:1 OR signature_id=129:18:1 OR signature_id=129:8:1)
[search sourcetype=snort (signature!="(spp_sip)*" (src_ip!=10.10.21.11 AND signature!="*POP3*") AND (src_ip!=10.108.246.111 OR 10.108.243.112 OR 10.108.243.113 OR 10.108.243.114 OR 10.108.243.115 OR 10.108.243.116) AND signature_id!=125:1:1)
|top limit=20 src| table src]
| stats count, values(signature) as Sigs by src
| sort -count
| lookup dnslookup clientip as src OUTPUT clienthost as DST_RESOLVED
| iplocation src
| fields src, count, Country, DST_RESOLVED, Sigs
| rename src as "Source IP", count as Count, DST_RESOLVED as "DNS Resolution", Sigs as Signatures

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...