Splunk Search

Regex help in filtering machines that were not compliant that now are....

tristamaltizo
New Member

I have events that detect compliance of machines via forescout data (we don't have the app installed) and I'd like to filter on only those machines that have been and remained non-compliant (in the last 30days).

In my current regex, it's listing all unique combinations of machine and status (or rather description which is aligned to the status).

index="forescout" sourcetype="fs_dlp_compliance" | dedup src_nt_host description sortby +src_nt_host -_time | table src_nt_host description status user _time

Sample output:
703019998LSYF Symantec DLP installed and running compliant 703019998 2015-12-17T09:23:26.000-0500
703024710LSYF Symantec DLP installed and running compliant 703024710 2016-01-11T20:57:25.000-0500
703024710LSYF DLP Not installed Non-compliant 703024710 2016-01-06T19:11:54.000-0500
703039420LSYF Symantec DLP installed and running compliant 703039420 2016-01-10T10:42:09.000-0500
703039420LSYF DLP Not installed Non-compliant 703039420 2016-01-06T19:11:54.000-0500
BSHYDSY-D230 DLP Not installed Non-compliant USER 2016-01-05T12:50:14.000-0500
BSHYDSY-L007 DLP Not installed Non-compliant USER 2016-01-11T20:58:26.000-0500
BSHYDSY-L008 DLP Not installed Non-compliant USER 2016-01-07T03:49:19.000-0500
BSHYDSY-L011 DLP Not installed Non-compliant USER 2016-01-12T06:44:05.000-0500

So, again, those events that have status "Non-compliant" that DON'T have another event that have status "compliant" (in the last 30days) are the ones I'd like to filter on.

Any help is appreciated!

0 Karma
1 Solution

javiergn
Super Champion

This is what I would do (not validated so keep an eye on the syntax):

index="forescout" sourcetype="fs_dlp_compliance" earliest=-30d@d
| fields src_nt_host status
| eval statusValue = if(match(status, "Non-compliant"), 0, 1)
| stats sum(statusValue) as statusValue by src_nt_host
| search statusValue = 0
| table src_nt_host

If you then need to display other fields such as description or user you can use the same technique.

Hope that works for you.

View solution in original post

javiergn
Super Champion

This is what I would do (not validated so keep an eye on the syntax):

index="forescout" sourcetype="fs_dlp_compliance" earliest=-30d@d
| fields src_nt_host status
| eval statusValue = if(match(status, "Non-compliant"), 0, 1)
| stats sum(statusValue) as statusValue by src_nt_host
| search statusValue = 0
| table src_nt_host

If you then need to display other fields such as description or user you can use the same technique.

Hope that works for you.

tristamaltizo
New Member

Thanks @javiergn!

In testing your suggested regex, I narrowed it down to the one host (in bold above), 703024710LSYF.

For this host, there were 54 events where status="Non-compliant" and 1 event where status="compliant". It's most recent status is "compliant" which we don't want on the list and it worked!

Thanks again!

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...