Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why virustotal doesn't fill in values?

bt149
Path Finder
‎08-09-2023 09:50 AM

Using the "virustotal" cmd and it appears that if there are multiple events that have the same file_hash that only one of the events will "populate" the field/values from the virustotal cmd.  I can't post events.

Example would be:

event 1:

_time=08/06/2023 07:00:00
dest=abc1
file_hash=45vv678
file_name=badguy.dll
file_path=my_path 
vt_* will be populated


event 2:

_time=08/06/2023 07:150:00
dest=abc2
file_hash=45vv678
file_name=badguy.dll
file_path=my_path
vt_* - nothing will be populated


event 3:

_time=08/06/2023 07:30:00
dest=abc3
file_hash=45vv678
file_name=badguy.dll
file_path=my_path
vt_* - nothing will be populated

I know the spl is fine as if I were to change the time picker to that of just the 2nd or 3rd event, all the vt_ fields would be populated.  It looks like this is the expected behavior.  Thanks in advance.

Tags (1)
0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎08-14-2023 12:40 AM

@bt149 - I'm sure you are using a custom App here as mentioned by @yuanliu 

Kindly post your search query here (you can hide sensitive data if any in the SPL). And then we might spot any issues if any.

 

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎08-11-2023 05:34 PM

There is no virustotal command in Search Commands.  If you are using a special app that provides this command, you should go to that app's forum for help.

0 Karma
Reply
Get Updates on the Splunk Community!

Reduce and Transform Your Firewall Data with Splunk Data Management

Managing high-volume firewall data has always been a challenge. Noisy events and verbose traffic logs often ...

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...