Hello All, Thanks for a great resource for Splunk and searches I am using the linux_secure sourcetype. I have a search that returns a value if a field (src) is longer than 1 if src is longer than...
See more...
Hello All, Thanks for a great resource for Splunk and searches I am using the linux_secure sourcetype. I have a search that returns a value if a field (src) is longer than 1 if src is longer than 1 a user has logged in to a host from a "remote" host, aka a host without a splunk universal forwarder installed. When the user logs of the host with a forwarder, I want my base search to return 0 results, or make the table disappear (using Dashboard Studio). I detect the ssh_open or ssh_close in this search. Here is the search I am working with: sourcetype=linux_secure user=* | eval Date=strftime(_time, "%Y-%m-%d %H:%M:%S") | rex "(?P<Status>(?<=session)\s\w+)" | eval Action=case(Status=" opened","Online",Status=" closed","Off") | eval Action=if(len(src)>1,"Login from Remote",Action) | eval Action=if(len(src)=0,"Logged Off",Action)| sort - Date | table Date, host,src,Action My time range is 15 min. In a nutshell, I want "Remote" to show when src is there, and then zero results when the "Off" Action or the src length is 0, etc. Any suggestions will help, Thank you very much, eholz1