Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

generate a list of unique hashes and append new hashes hourly

wgawhh5hbnht
Communicator
‎06-04-2020 05:00 AM

I would like to take the following search that generates the hashes and outputs the lookup:

index=windows source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" Image=* | fields Hashes | eval hash=split(Hashes,",") | mvexpand hash | dedup hash | rex field=hash "(?<type>[^=]+)" | rex field=hash "=(?<hash>[^=]+)" | table hash | outputlookup append=true hashes.csv

The output of the hashes.csv looks like this:

hash
29B7D02A3B5F670B5AF2DAF008810863
96BEC668680152DF51EC1DE1D5362C64C2ABA1EDA86F9121F517646F5DEC2B72
D7AB69FAD18D4A643D84A271DFC0DBDF
FF79D3C4A0B7EB191783C323AB8363EBD1FD10BE58D8BCC96B07067743CA81D5
601BDDF7691C5AF626A5719F1D7E35F1
4ED2A27860FA154415F65452FF1F94BD6AF762982E2F3470030C504DC3C8A354
9D59442313565C2E0860B88BF32B2277

How do I now take the hashes.csv and constantly add new unique hashes to it?

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎06-04-2020 05:59 AM

Unless I misunderstand the problem, you have your solution already. The | outputlookup append=true command will add new hashes to the CSV each time the search runs. The key (and perhaps this is the real question) is to schedule the search with a time range that only looks back to the last run. For example, use earliest=-1h if it is run hourly.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎06-04-2020 05:59 AM

Unless I misunderstand the problem, you have your solution already. The | outputlookup append=true command will add new hashes to the CSV each time the search runs. The key (and perhaps this is the real question) is to schedule the search with a time range that only looks back to the last run. For example, use earliest=-1h if it is run hourly.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

wgawhh5hbnht
Communicator
‎06-04-2020 06:22 AM

And this will only include unique hashes? I'm concerned about the size of the lookup file growing too large.

As for the scheduled portion, would it make more sense to only use the existing search or should I include the lookup file in the search as well?

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎06-04-2020 06:56 AM

To ensure uniqueness, include the existing lookup in the search and dedup by hash.

index=windows source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" Image=* 
| fields Hashes 
| eval hash=split(Hashes,",") 
| mvexpand hash 
| dedup hash 
`comment("This rex command appears to do nothing as the 'type' field is not used")`
| rex field=hash "(?<type>[^=]+)" 
| rex field=hash "=(?<hash>[^=]+)" 
| table hash 
| inputlookup append=true hashes.csv
| outputlookup hashes.csv
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...