Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Regex help in filtering machines that were not com...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have events that detect compliance of machines via forescout data (we don't have the app installed) and I'd like to filter on only those machines that have been and remained non-compliant (in the last 30days).
In my current regex, it's listing all unique combinations of machine and status (or rather description which is aligned to the status).
index="forescout" sourcetype="fs_dlp_compliance" | dedup src_nt_host description sortby +src_nt_host -_time | table src_nt_host description status user _time
Sample output:
703019998LSYF Symantec DLP installed and running compliant 703019998 2015-12-17T09:23:26.000-0500
703024710LSYF Symantec DLP installed and running compliant 703024710 2016-01-11T20:57:25.000-0500
703024710LSYF DLP Not installed Non-compliant 703024710 2016-01-06T19:11:54.000-0500
703039420LSYF Symantec DLP installed and running compliant 703039420 2016-01-10T10:42:09.000-0500
703039420LSYF DLP Not installed Non-compliant 703039420 2016-01-06T19:11:54.000-0500
BSHYDSY-D230 DLP Not installed Non-compliant USER 2016-01-05T12:50:14.000-0500
BSHYDSY-L007 DLP Not installed Non-compliant USER 2016-01-11T20:58:26.000-0500
BSHYDSY-L008 DLP Not installed Non-compliant USER 2016-01-07T03:49:19.000-0500
BSHYDSY-L011 DLP Not installed Non-compliant USER 2016-01-12T06:44:05.000-0500
So, again, those events that have status "Non-compliant" that DON'T have another event that have status "compliant" (in the last 30days) are the ones I'd like to filter on.
Any help is appreciated!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is what I would do (not validated so keep an eye on the syntax):
index="forescout" sourcetype="fs_dlp_compliance" earliest=-30d@d
| fields src_nt_host status
| eval statusValue = if(match(status, "Non-compliant"), 0, 1)
| stats sum(statusValue) as statusValue by src_nt_host
| search statusValue = 0
| table src_nt_host
If you then need to display other fields such as description or user you can use the same technique.
Hope that works for you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is what I would do (not validated so keep an eye on the syntax):
index="forescout" sourcetype="fs_dlp_compliance" earliest=-30d@d
| fields src_nt_host status
| eval statusValue = if(match(status, "Non-compliant"), 0, 1)
| stats sum(statusValue) as statusValue by src_nt_host
| search statusValue = 0
| table src_nt_host
If you then need to display other fields such as description or user you can use the same technique.
Hope that works for you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks @javiergn!
In testing your suggested regex, I narrowed it down to the one host (in bold above), 703024710LSYF.
For this host, there were 54 events where status="Non-compliant" and 1 event where status="compliant". It's most recent status is "compliant" which we don't want on the list and it worked!
Thanks again!
Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!
Index This | When is October more than just the tenth month?
Observe and Secure All Apps with Splunk
