Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About santorof
santorof
Communicator
Member since:
07-29-2015
06-05-2020
Community Statistics
| Posts | 61 |
| Solutions | 1 |
| Karma Given | 4 |
| Karma Received | 8 |
| Member Since | 07-29-2015 |
Activity Feed
- Got Karma for Splunk App for Enterprise Security: How to edit the Threat Intelligience Data Model to include a field within the sourcetype?. 05-01-2024 03:10 AM
- Got Karma for Re: TimeChart multiple Fields. 11-30-2022 08:15 PM
- Got Karma for SSL Certificate Verify Failed. 06-05-2020 12:50 AM
- Got Karma for Re: SSL Certificate Verify Failed. 06-05-2020 12:50 AM
- Got Karma for Re: Monitoring Console(MC) and Clustered Indexers. MC is only seeing indexers on one site meanwhile cluster includes two sites. 06-05-2020 12:49 AM
- Karma Re: Extracting Fields & Regular Expression Formating for richgalloway. 06-05-2020 12:48 AM
- Karma Re: If one indexer of 6 is about to reach capacity in an indexer cluster. will remaining 5 still index? for dxu_splunk. 06-05-2020 12:47 AM
- Karma Re: Regex in search to filter not working for somesoni2. 06-05-2020 12:47 AM
- Karma Re: Regex in search to filter not working for woodcock. 06-05-2020 12:47 AM
- Got Karma for If one indexer of 6 is about to reach capacity in an indexer cluster. will remaining 5 still index?. 06-05-2020 12:47 AM
- Got Karma for Re: TimeChart multiple Fields. 06-05-2020 12:47 AM
- Got Karma for Splunk App for Enterprise Security: How to edit the Threat Intelligience Data Model to include a field within the sourcetype?. 06-05-2020 12:47 AM
- Posted Re: SSL Certificate Verify Failed on All Apps and Add-ons. 07-11-2019 03:53 AM
- Posted Re: SSL Certificate Verify Failed on All Apps and Add-ons. 03-14-2019 05:45 AM
- Posted SSL Certificate Verify Failed on All Apps and Add-ons. 03-12-2019 08:32 AM
- Posted Re: Does Splunk support regex support with look behind and look ahead? on Splunk Search. 02-23-2018 05:05 AM
- Posted Re: Does Splunk support regex support with look behind and look ahead? on Splunk Search. 02-22-2018 08:49 AM
- Posted Re: Does Splunk support regex support with look behind and look ahead? on Splunk Search. 02-22-2018 07:43 AM
- Posted Re: Does Splunk support regex support with look behind and look ahead? on Splunk Search. 02-22-2018 06:23 AM
- Posted Does Splunk support regex support with look behind and look ahead? on Splunk Search. 02-22-2018 05:55 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
12-02-2015
05:57 AM
The logic makes sense but Splunk says I have 8 results but nothing being outputted. Just running a basic query against the source type I have the same amount of events in a given period as what the alert is telling me
... View more
11-27-2015
01:23 PM
Not sure if it works. Its saying there are events but no results are being outputted
... View more
11-27-2015
12:06 PM
I am looking to create a unique alert that would look at virus activity. The idea is to get a real time alert in a 60 second window if the field signature is reoccurring across two separate logs that both have different (computer_name) which could signal an outbreak possibly.
signature is the indicator of what type of virus it is and computer_name is the comp name.
This is the general idea: ...| bucket _time span=1m | dedup signature | (Only return results if computer_name has different results) | count >2
I cant seem to figure out a splunk command to only return results if the computer_name field does not have a unique specific name. I know I could utilize != but not sure what command would help me with this.
... View more
- Tags:
- unique-fields
11-27-2015
12:00 PM
So on the timechart there are three lines Allowed Blocked and N/A with N/a being all activity I assume. For each day across the timechart there is only one line that is rising. For example on the 29th of October The blocked lined shows 4 blocked events. If there are 4 blocked events then there should be 4 events on the N/A line as well but I am not seeing it. Also looking further into my data im timecharting there was a day where there was both an allowed and blocked event. The Timechart is only showing the one blocked event
... View more
11-24-2015
05:57 AM
Tried this out and still having the issue of only one of the lines spiking per day. I see blocked activity but no overall activity. Over a 7 day period no two lines rise on the same day.
... View more
11-23-2015
12:02 PM
My sourcetype has a field called action that can be either blocked or notified. In a timechart fashion I want to show the amount of blocked notified and total events associated with my sourcetype. I tried the code you gave me and there are a couple different things that happened. Only the total count of events was produced, the eval function dident occur and the chart is still showing action, and the chart is not a true way to look at trend lines because it does not account for days that have no events. It will only chart days that have events.
... View more
11-23-2015
11:36 AM
Would the chart command work? Then adding in the _time field associated with each line
... View more
11-23-2015
10:35 AM
I renamed sourcetype to account for null. I ran a search against my sourcetype and saw I had 4 events on November 4th but no spikes for the sourcetype and 4 allowed events. It seems that only one spike in one of the eval's per day is allowed through this method.
... View more
11-23-2015
10:16 AM
Tried this and it seems like its doing what I need it do. However its showing me blocked or allowed action during a day where there was no activity according to Null. The null field is the sourcetype I believe .
... View more
11-23-2015
10:13 AM
Tried this and the eval never happens. Its stat'd by the action field. Also the action field showed no events.
... View more
11-23-2015
09:42 AM
I am always trying to make more difficult then they seem haha. I took your advice and did an asset list and Splunk did all the world and correlated the correct information for me per event. Thanks!
... View more
11-23-2015
09:32 AM
I am trying to do a time chart that would show 1 day counts over 30 days comparing the total amount of events to how many events had blocked or allowed associated. The action field is in text and not in integers. It seems like time chart does not like taking a reoccurring count out of a text field broken down by day. I had tried converting the action field into a num by | convert num(action) but I am still getting an error of action being invalid.
| eval action=case(action="blocked","Blocked",action="notified","Allowed") | timechart span=1d
count by sourcetype,action
... View more
11-04-2015
06:39 AM
I am trying to get matching IP address's from my asset list and another device. My source1 does not have a username associated with the IP but my asset list does. I want to match the IP addresses and pull out the username in my asset list. In source1 I have a field called src_ip and in my asset list the field is IP_Address. I want to match the addresses, output one in a table or stats, along with the username pulled from an event matching the ip address from source1. Below is my attempts at trying to do this with no success.
sourcetype=Source1 | eval ip=src_ip | where ip=ip2 | table ip,dest | join ip type=inner [search sourcetype=Source_Assets earliest=-1h | eval ip2=IP_Address | table Username,ip]
sourcetype=Source1 | chart count by src_ip,dest_ip | append [search index=assets sourcetype=Source_Assets | fields Username,IP_Address | chart count by Username]
I get results for the second one but no output.
... View more
10-27-2015
07:06 AM
This is the query im using
index=symantec sourcetype=sep:ids
| bucket _time span=1m | rename dest_ip as Local_Host_IP | rename src_ip as Remote_Host_IP
| stats count latest(_raw) AS LatestEventThisMinute by
Remote_Host_IP,_time | where count > 1
I want to pull out other fields for each grouped event. Since they have the same src ip each event will be pretty much the same in terms of fields. Is it possible to stats by other fields without parsing against them to see if they match the criteria of being the same?
... View more
10-22-2015
10:32 AM
The dedup works. Is there a way to do a count against the total ammount of events found within that 60 second window that was deduped?
... View more
10-15-2015
10:40 AM
Tried it and that transaction command seems to only group up events. It does not filter it out. Also it seems to duplicate events I have because out of the 100 or so results I have There are over 9k rows.
... View more
10-15-2015
07:33 AM
So I tried transaction maxspan=1m and i got 11 events back but almost 9,000 lines of the same events.
... View more
10-15-2015
07:14 AM
I am trying to create a search that would return results through stats. I have a field called src_ip and I only want to see events if there is a match of the src_ip against other events but only matching within a minute window. The logic is I only want to see one event if there is more than one matching src_ip specific to the user in the event within the given 1 minute window. So I tried the dedup command but was not sure if I could dedup the src_ip field within the span of a minute using either the _time field provided by splunk or use a begin_time field that comes from the sourcetype.
| transaction src_ip maxpause=60s
That groups events by the field src_ip and also groups events that are no more than 60 seconds apart. This might work if I could output a single event from the group. But I also don't want to see events that only occur once and dont reoccur more than once per 60 seconds.
... View more
10-07-2015
09:37 AM
2 Karma
So within the Enterprise Security App, there is the built-in threat activity dashboard. One of panels shows your sourcetype(firewall) and all the hits the events off that source type match up with a threat activity. What is not showing here is if the event that matched was blocked or allowed. From the query that was being run, I was able to figure out that it was using the Threat Intelligence data model. Within the firewall source type I have, there is a field called status that has passthrough or accept. When doing a search on index=threat_activity , there is no option here for the status field. I went into the data model of Threat_ Intelligence and searched for the action field using add attribute and saw some fields from my firewall sourcetype, but not status. I added status manually and waited for a refresh and still did not see it coming up.
How can I properly edit this data model to include the specific field action so that I can then edit the query in the threat activity dashboard to filter out blocked events from allowed events?
... View more
09-25-2015
12:34 PM
I did the above but have more questions. The threat list(the-threat-list) does show all the IP's I want to filter out by. So my logic is comparing these ip's in the IP field to a field called IP in my sourcetype firewall for example(checking for hits manually). Would I use the diff command to compare the IP field from the-threat-list to my sourcetype firewall field=IP for any matches? Just not sure how to go about it. I also tried to do the threatlookup command with files that are being pulled down from a url but got no results.
... View more
09-25-2015
05:44 AM
Could you explain to me what the . , forward slash, and $ are for? I have been looking at the regex documentation and cant seem to find anything solid. I would like to know this so I can do a regex to take into account a abc-USERNAME where abc- is what I would want to filter against to not include. In this case abc- is at the begining and the *(everything) would come after
EDIT: I believe I got it. regex user!="abc-.*"
... View more
09-25-2015
05:19 AM
Sorry I did not make it clear. I have a local copy of splunk with no data I use as my test environment. The real data and infrastructure is what I don't want to install the app on. If it was xml or dashboard logic I could extract it from my local version but because its a command I dont believe it will help me with the real data.
... View more
09-24-2015
12:50 PM
Appreciate it thank you. I will take a look.
... View more
09-24-2015
12:29 PM
I read the document but whats not clear is if the time stamp is created when the event hits the bucket or is extracted from the event. This would help me in determining if the data that I ingested was rolled over into frozen from my policy or something else entirely
... View more
09-23-2015
05:15 AM
This worked as well as the suggestion from Wood about regex. Thank you!
... View more
- « Previous
-
- 1
- 2
- Next »
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:04 AM
|
