Splunk Search

search show results not existing in logs.

aalhabbash1
Path Finder

Hi Splunker;

I have the below search:

index=winevents host=prdaddc02 OR host=PRDADDC01 OR host=DZITHQ-DC3 sourcetype="WinEventLog:Security" signature="An account was successfully logged on" OR signature="Special privileges assigned to new logon" src_nt_host=* NOT [| inputlookup list_kasperSky.csv] NOT [| inputlookup list_not_use_kasperSky.csv] | fields src_nt_host | table src_nt_host | dedup src_nt_host

This search compare between the above lookups table and the windows security logs, if any host not existing in those lookups table but existing in windows logs will appear in the result, this search compare for (src_nt_host) field.

After run the search Splunk show result no existing in windows logs, why appeared this results?

Please help me in that.

BR;

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

The issue may have to do with what is in your csv files.

This reformatted version should give you the same (lack of) result as your code, but run it first anyway.

index=winevents sourcetype="WinEventLog:Security" src_nt_host=* 
(host=prdaddc02 OR host=PRDADDC01 OR host=DZITHQ-DC3)
(signature="An account was successfully logged on" OR signature="Special privileges assigned to new logon")

| where NOT [| inputlookup list_kasperSky.csv] AND
        NOT [| inputlookup list_not_use_kasperSky.csv] 
| fields src_nt_host 
| table src_nt_host 
| dedup src_nt_host

If that works, then stop. the problem will have been the way the bloom filters work. I can explain that if it fixes the problem.

If that does not work, then run these as separate searches...

| inputlookup list_kasperSky.csv | head 10 | format

| inputlookup list_not_use_kasperSky.csv | head 10 | format

Those will give you a look at how the code is interpreting and formatting your NOTs. It will look something like

 ((fieldname1="value1A" AND fieldname2="value2A" AND...) OR 
  (fieldname1="value1B" AND fieldname2="value2B" AND...) OR
   ....)

Check to make sure that what you are doing makes sense.

Let us know what you find, and we will continue to help you debug.

0 Karma

aalhabbash1
Path Finder

Hi DalJeanis;

Thank you for reply.

I have used the above search but change

| where NOT [| inputlookup list_kasperSky.csv] AND
NOT [| inputlookup list_not_use_kasperSky.csv] because not work to:

NOT [inputlookup list_kasper.csv]
NOT [inputlookup list_not_use_kasper.csv]

and when execute | inputlookup list_kasperSky.csv | head 10 | format you can see the results:

( ( src_nt_host="ABH-QAHTANIMS" ) OR ( src_nt_host="HQR-AALTHAWAD" ) OR ( src_nt_host="HQR-NAFJANMA" ) OR ( src_nt_host="TBK-CAM1" ) OR ( src_nt_host="HQR-ANAZIAB" ) OR ( src_nt_host="HQR-CE2" ) OR ( src_nt_host="DAM-OWAMA" ) OR ( src_nt_host="HQR-AGENT337" ) OR ( src_nt_host="HQR-GALHAZZAN-T" ) OR ( src_nt_host="HQR-HABAHUSSAIN" ) )

the issue still not resolve..

Please advise me in that

BR

0 Karma
Get Updates on the Splunk Community!

New Splunk Observability innovations: Deeper visibility and smarter alerting to ...

You asked, we delivered. Splunk Observability Cloud has several new innovations giving you deeper visibility ...

Synthetic Monitoring: Not your Grandma’s Polyester! Tech Talk: DevOps Edition

Register today and join TekStream on Tuesday, February 28 at 11am PT/2pm ET for a demonstration of Splunk ...

Instrumenting Java Websocket Messaging

Instrumenting Java Websocket MessagingThis article is a code-based discussion of passing OpenTelemetry trace ...