Re: multisearch

vmicovic2 · ‎06-02-2020

Dear,

couple hours i am trying to get:
i have one log with no similar way of words in one line... because of that i cannot get in one search what i need.
This two searches get what i need:
index=ise "authentication failed" "Administrator-Login"
index=ise "authentication failed" "UserName"
Now i want this two query to join in one and get results which admin login and user login have authentication failed...

thank you

vmicovic2 · ‎06-02-2020

succeeded with:
index=ise ("authentication failed" "Administrator-Login") OR ("authentication failed" "UserName")
| stats count by UserName
| append
[search index=ise ("authentication failed" "Administrator-Login") OR ("authentication failed" "UserName")
| stats count by AdminName]

493669 · ‎06-02-2020

can you try-

index=ise  ("authentication failed" "Administrator-Login") OR ("authentication failed" "UserName")

vmicovic2 · ‎06-02-2020

seems that`s what i need, how now to sort it by count?

493669 · ‎06-02-2020

try below-

...|sort 0 - count

vmicovic2 · ‎06-02-2020

yes that and make it like table, to visualize instead to show logs?

wedge22 · ‎06-02-2020

Use the

| table

to create a table of any fields you are interested in, the results from the search should provide interesting fields on the left of the search panel, then use

| sort

vmicovic2 · ‎06-02-2020

nope, whatever i done, cannot get it...
what about multisearch?

vmicovic2 · ‎06-02-2020

hm, seems this is fine:
index=ise ("authentication failed" "Administrator-Login") OR ("authentication failed" "UserName")
| table AdminName UserName
| sort 0 - count

now i need instead couple same usernames in list, to be just counted, not repeated ...

493669 · ‎06-02-2020

if you want to count by UserName and AdminName
then try-

...|stats count by UserName AdminName

vmicovic2 · ‎06-02-2020

with that 0 score.
With only "stats count by UserName" i see all except admin accounts...
so now, i need only more to show/include admin count..

vmicovic2 · ‎06-02-2020

which seems impossible and because of that i want to try multi search option?
but never used...

493669 · ‎06-02-2020

which query did you tried? what is your sample output till now and what output you are expecting?

493669 · ‎06-02-2020

to show in tabular format use table command and then specify your field names-

...|table fieldname

OR

...|table *

richgalloway · ‎06-02-2020

How about this?

index=ise "authentication failed" ("Administrator-Login" OR "UserName")

---
If this reply helps you, Karma would be appreciated.

vmicovic2 · ‎06-02-2020

in that query, i don`t see administrator logins... 😕

wedge22 · ‎06-02-2020

Can you try something like this?

index=ise authentication="failed" Administrator="Login"
| table UserName

I suggest adding a sourcetype to the search as well in the future.

vmicovic2 · ‎06-02-2020

this cannot be done, because logs are like syslog, and cannot search by that fields .. 😞

multisearch

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?