Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About packet_hunter
packet_hunter
Contributor
Member since:
01-08-2016
06-05-2020
Community Statistics
| Posts | 328 |
| Solutions | 6 |
| Karma Given | 2 |
| Karma Received | 12 |
| Member Since | 01-08-2016 |
Activity Feed
- Got Karma for is there a way to search who has access to an index?. 03-30-2021 04:37 PM
- Karma Re: Is there any advantage to sending data from universal forwarder to an intermediate heavy forwarder instead of directly to indexers? for gjanders. 06-05-2020 12:49 AM
- Got Karma for Re: What is the most efficient way to correlate fields from different sourcetypes in the same index by an asset_id key. 06-05-2020 12:49 AM
- Got Karma for Re: Best way to send Windows event logs from a Windows 12 server to indexers?. 06-05-2020 12:49 AM
- Got Karma for What index should sysmon data go into and how /where to change the index?. 06-05-2020 12:49 AM
- Got Karma for Re: Universal Forwarders are phoning home but the indexes are not populating. 06-05-2020 12:49 AM
- Karma Re: keep receiving error on two scheduled alerts? for somesoni2. 06-05-2020 12:48 AM
- Got Karma for what is the best addon / app to use with [iplocation] for a geographical visual dashboard?. 06-05-2020 12:48 AM
- Got Karma for How to rename column and row labels after using transpose?. 06-05-2020 12:48 AM
- Got Karma for How to set up an initial transactiontypes.conf file in $SPLUNK_HOME/etc/system/local ?. 06-05-2020 12:48 AM
- Got Karma for Re: Is there a way to set conditions for an alert to "sendmail" custom messages based on different values of certain fields?. 06-05-2020 12:48 AM
- Got Karma for Re: How to stitch together a session by userid with dissimilar formats. 06-05-2020 12:48 AM
- Got Karma for Re: How to send JSON data (sent via HTTP POST) to a heavy forwarder?. 06-05-2020 12:48 AM
- Got Karma for Re: Best way to check email logs for recipients that are on a list. 06-05-2020 12:47 AM
- Posted Re: How to update indexes.conf files on unclustered production indexers? on Getting Data In. 10-24-2017 09:26 AM
- Posted Re: How to update indexes.conf files on unclustered production indexers? on Getting Data In. 10-24-2017 07:59 AM
- Posted How to update indexes.conf files on unclustered production indexers? on Getting Data In. 10-24-2017 07:28 AM
- Posted Re: Is there any advantage to sending data from universal forwarder to an intermediate heavy forwarder instead of directly to indexers? on Getting Data In. 10-24-2017 07:17 AM
- Posted Re: Is there any advantage to sending data from universal forwarder to an intermediate heavy forwarder instead of directly to indexers? on Getting Data In. 10-24-2017 07:17 AM
- Posted Re: What index should sysmon data go into and how /where to change the index? on All Apps and Add-ons. 10-23-2017 12:07 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
03-11-2017
08:26 AM
Thank you both for your comments.
Yes in a 24hr period I have about 200 million security events.
Now -dumping the highest count and looking for the specific event codes of interest is an option I have considered, but there are times we need to see the totals of all codes within that day. Like if 10,000 4624 or 4625 from a specific security_id in an hour, then there is something worth looking at...
FYI, the index is dedicated but does contain application events, system events, as well as Security events. The majority of events are Security events. I probably would have set this up differently but I have to deal with what is in place.
@DalJeanis would you mind sharing a tstats example I might use for this scenario, I will concurrently try my hand at the syntax
I see counts of events with
|tstats count where index=wineventlog by sourcetype
Just having trouble grabbing the EventCode field values....
Thank you
... View more
03-11-2017
08:01 AM
Thank you for these steps. I will look into it.
... View more
03-10-2017
06:39 PM
Doing some long-tail analysis and I am running in Fast Mode but the query for 24 hours is taking a long time.
Please let me know if there is a way to speed this up. Not that familiar with TSTATS but if there is an option, please let me know.
index=wineventlog sourcetype="WinEventLog" |stats count by EventCode TaskCategory | where count<10 |sort count
Thanks
... View more
03-09-2017
12:49 PM
thanks very helpful
... View more
03-09-2017
12:23 PM
yes thank you for "search", I was using "where" and got stuck.
I got it to work with ... | where duration > "00:00:00", quotes were needed as it was a string... I believe
I posted the entire search above... probably could be cleaned up
thanks again
... View more
03-09-2017
11:57 AM
index=wineventlog sourcetype=WinEventLog
Security_ID="some_Name_ID" (EventCode=4624 OR EventCode=4634)
|sort Logon_ID
| stats
latest(eval(if(EventCode=4624,_time, null()))) as logon_time,
latest(eval(if(EventCode=4634,_time,null()))) as logoff_time,
latest(eval(if(EventCode=4624,Source_Network_Address, null()))) as Src_Network_Address,
latest(eval(if(EventCode=4624,Logon_GUID, null()))) as LgnGUID,
by Logon_ID
| eval logoff_time = if(logoff_time<logon_time OR isnull(logoff_time), "Session in Progress",logoff_time)
| eval logon_time = if(isnull(logon_time),"Logon time out of range", logon_time)
| eval duration=tostring(logoff_time-logon_time,"duration")
| eval logon_time=if(isint(logon_time),strftime(logon_time, "%b %d, %I:%M %p"), logon_time)
| eval logoff_time=if(isint(logoff_time),strftime(logoff_time, "%b %d, %I:%M %p"),logoff_time)
| where duration>"00:01:00" OR isnull(duration)
... View more
03-09-2017
11:37 AM
actually in this case the "where" syntax did not work... but search did, just fyi
... View more
03-09-2017
11:02 AM
I have a search that calculates a time duration for windows events logon and logout.
....| eval duration=tostring(logoff_time-logon_time,"duration")
I get a lot of time values for duration which is 00:00:00 and I would like to drop / remove from the results.
What is the best way to remove those values?
... View more
03-07-2017
01:56 PM
the scheduled alerts usually produce 1 result per the time window so in that case (without transpose) there would be 1 row with 10 fields for a malware-Obj
OR
there would be 1 row with 5 fields for a malware-CB
I hope that makes sense
... View more
03-07-2017
01:36 PM
the results the alert look like this in an email
Details occurrence1
Occurred 2017-1-11 14:56:32+00
Alert malware-callback
SourceIP 192.168.2.1
Hostname thiscomputer.company.com
or
Details occurrence1
Recp somename@domain.tld
Occurred 2017-02-23 08:39:41+00
Attachment-or-Link malicious.doc
Alert malware-object
Applicance USA-emailscan-01
Subj
Basically this is the format of the email alerts, I am not able to get the spacing right, but there would be two columns here
... View more
03-07-2017
01:20 PM
I do transpose for readability in the email only, otherwise it becomes hard to read
I will send the results shortly
... View more
03-07-2017
12:49 PM
you are correct, the "Appliance" field is not populating... any ideas for a work around?
... View more
03-07-2017
12:45 PM
Thank you, I will give that a try. I will open another thread for my alert recipients question
... View more
03-07-2017
12:34 PM
I have a scheduled alert that I need to send to different recipients with different messages depending on the search results, the following is the basic search...
index=secApp sourcetype=secApp_json "malware_CB" OR "malware_Obj"
|rename alert.occurred as Occurred
|stats
values(alert.name) as Alert
values(alert.src.ip) as SourceIP
values(alert.dst.smtp-to) as Recp
values(alert.src.host) as Hostname
values(alert.src.url) as Attachment-or-Link
values(appliance) as Appliance
values(alert.smtp-message.subject) as Subj
values(alert.src.smtp-mail-from) as Sender
values(alert.smtp-message.id) as Msg_ID
values(alert.smtp-message.smtp-header) as Header
by Occurred
|transpose
|rename column as Details, row* as occurrence*
Now I would like to add a token for alert recipient and a token for alert message... the following is code I crafted for the alert_msg
|eval alert_Msg = case (Appliance = USA-emailscan-01, "msg1",
Appliance = UK-emailscan-01, "msg2",
Appliance = USA-netscan-01, "msg3",
Appliance = UK-netscan-01, "msg4")
is it possible to use a lookup to populate the message content? instead of adding the message text directly in the eval statement?
Thank you
... View more
02-20-2017
03:00 PM
Its gotta be correct per your logic, its just hard to verify because I have so many fwdrs.
... View more
02-20-2017
02:35 PM
Actually, looks like something is still not quite right with the conversion. But | timechart span=1d is getting me closer.
Thank you
... View more
02-20-2017
02:26 PM
Yes I see Somesoni's reply. Thank you for your comments, and my code was completely off, but you have highlighted some concepts I need to keep in mind. Thank you.
... View more
02-20-2017
02:17 PM
Thank you, I believe you got it.
... View more
02-20-2017
01:44 PM
I am searching the _internal index to find out how much data a universal forward is sending per day.
Here is my code (taken from settings>Monitor Console> Forwarders: Instance "Outgoing Data Rate" dashboard)
`dmc_get_forwarder_tcpin` hostname=SomeNAME
| `dmc_timechart_for_metrics_log` sum(eval(tcp_KBps)) as "KB/s", max(tcp_eps) as "Events/s"
Does anyone know the correct syntax to convert this to GB/day?
This is my attempt below, is this correct and accurate? I don't think so... looks like I need to sum all the data.
`dmc_get_forwarder_tcpin` hostname=SomeName
| `dmc_timechart_for_metrics_log` max(eval(tcp_KBps/1024/1024/60/60/24)) as "GB/day", max(tcp_eps) as "Events/s"
Thanks
... View more
02-20-2017
12:55 PM
Not sure if you are still looking at this... but in my splunk DMC instance, under settings>monitor console> Forwarders: Instance, I can see the KB/s data rate per universal forwarder, however I cannot see a GB/day volume anywhere.
Do you have some search syntax to convert KB/S to GB/day volume? Or is there another report somewhere?
Thank you
... View more
02-14-2017
01:51 PM
Thank you Lisa!!!
... View more
02-09-2017
03:58 PM
Thank you!
... View more
02-09-2017
02:32 PM
1 Karma
is there a way to search who has access to an index without having to dig thru the access controls, roles and users?
Thank you
... View more
02-09-2017
01:31 PM
I am working on a matrix of data sources for my splunk deployment.
I need to map my data sources -collection method (for example firewalls, DC(s), servers and other appliances) from forwarders or syslog or other log feeds.
Many of the data sources were setup prior to my involvement.
How would one take on the is challenge and no - forwarder monitoring is not enabled.
Thank you
... View more
