Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About UMDTERPS
UMDTERPS
Communicator
Member since:
01-23-2019
06-17-2021
Community Statistics
| Posts | 89 |
| Solutions | 4 |
| Karma Given | 20 |
| Karma Received | 2 |
| Member Since | 01-23-2019 |
Activity Feed
- Karma Re: How normalize field values that have slightly different field values? Regex? Match? Replace? for ITWhisperer. 06-10-2021 11:52 AM
- Karma Re: How normalize field values that have slightly different field values? Regex? Match? Replace? for ITWhisperer. 06-10-2021 11:52 AM
- Posted Re: How normalize field values that have slightly different field values? Regex? Match? Replace? on Splunk Search. 06-10-2021 11:51 AM
- Posted Re: How normalize field values that have slightly different field values? Regex? Match? Replace? on Splunk Search. 06-10-2021 07:53 AM
- Posted Re: How normalize field values that have slightly different field values? Regex? Match? Replace? on Splunk Search. 06-09-2021 03:39 PM
- Posted How normalize field values that have slightly different field values? Regex? Match? Replace? on Splunk Search. 06-09-2021 02:03 PM
- Tagged How normalize field values that have slightly different field values? Regex? Match? Replace? on Splunk Search. 06-09-2021 02:03 PM
- Tagged How normalize field values that have slightly different field values? Regex? Match? Replace? on Splunk Search. 06-09-2021 02:03 PM
- Posted How do you hide panel based on certain fields from a dropdown on Dashboards & Visualizations. 05-27-2021 07:17 AM
- Posted Re: Join and appendcols returns results, but not giving the desired results on Splunk Search. 03-30-2021 11:07 AM
- Posted Join and appendcols returns results, but not giving the desired results on Splunk Search. 03-30-2021 08:46 AM
- Posted Re: How to combine two searches in one search? on Splunk Search. 03-30-2021 07:31 AM
- Posted How to combine two searches in one search? on Splunk Search. 03-19-2021 08:34 AM
- Posted Re: Drilldown not working, even when using <![CDATA]]> on Splunk Search. 03-17-2021 09:41 AM
- Posted Re: Drilldown not working, even when using <![CDATA]]> on Splunk Search. 03-08-2021 02:53 PM
- Karma Re: Drilldown not working, even when using <![CDATA]]> for richgalloway. 03-08-2021 02:53 PM
- Posted Re: Drilldown not working, even when using <![CDATA]]> on Splunk Search. 03-05-2021 02:11 PM
- Posted Drilldown not working, even when using <![CDATA]]> on Splunk Search. 03-05-2021 12:54 PM
- Karma Re: How to pull latest scan data with full EST date/time? for richgalloway. 03-04-2021 12:22 PM
- Posted Re: How to pull latest scan data with full EST date/time? on Splunk Search. 03-04-2021 07:54 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
05-15-2020
11:48 AM
System OS
ABC Windows-Server-2016
ABC Windows-10-Enterprise
ABC Mac-OSX
DEF Windows Server-2016
DEF Windows Server-2012
DEF Red Hat v8.2
Above is a little generic data that is in a CSV/lookup, there is a "System" and "OS" field. I have one drop-down that filters by a system that works by dynamically populating. I want to add another drop-down that is static, that filters by server/non-server:
Windows-10-Enterprise, OSX, etc would be "Non-Server"
Red Hat v8.2, WIndows Server-2012, Windows Server-2016, etc would be "Server".
* would be for all OS
I tried adding these as static options, but I can't seem to get it to work. Only "*" works for an all option.
Any ideas?
... View more
02-24-2020
08:51 AM
| inputlookup scanner_visibility.csv
| lookup visibility_blue.csv Acronym AS application local=t OUTPUTNEW "Risk Score"
| lookup server_dump.csv Acronym AS application local=t OUTPUTNEW "Authorization Removal Date"
| rename norton_assets as norton
| lookup servertypes_scanner_weights.csv servertype OUTPUTNEW norton_weight nexpose_weight nessus_weight metasploit_weight
openvas_weight nexpose_weight
| eval norton = if(like(norton, "%2019") AND relative_time(now(), "-30d@d") < strptime(norton,"%m/%d/%Y"), norton_weight, 0)
| eval nessus = if(like(nessus, "%2019") AND relative_time(now(), "-30d@d") < strptime(nessus,"%m/%d/%Y"), nessus_weight, 0)
| eval metasploit = if(like(metasploit, "%2019") AND relative_time(now(), "-30d@d") < strptime(metasploit,"%m/%d/%Y"), metasploit_weight,0)
| eval nexpose = if(like(nexpose, "%2019") AND relative_time(now(), "-30d@d") < strptime(nexpose,"%m/%d/%Y"), nexpose_weight, 0)
|eventstats count(ip) as total
sum(norton) as norton_points
sum(nessus) as nessus_points
sum(meteasploit) as metasploit_points
sum(nexpose) as nexpose_points
count(eval(found="Yes")) as found_yes by system
sum(norton_weight) as norton_points_possible
sum(nessus_weight) as nessus_points_possible
sum(metasploit_weight) as metasploit_points_possible
sum(nexpose_weight) as nexpose_points_possible
| eval norton_score = round (((norton_points / norton_points_possible)*100), 2)
| eval nessus_score = round (((nessus_points / nessus_points_possible)*100), 2)
| eval metasploit_score = round (((metasploit_points / metespliot_points_possible)*100), 2)
| eval nexpose_score = round (((nexpose_points /nexpose_points_possible)*100), 2)
| dedup system
| eval date = strftime(now(), "%m/%d/%Y")
| eval _time = strptime(date, "%m/%d/%Y")
| fields _time date norton_score nessus_score metasploit_score nexpose_score
So, I did some re-configuring by adding the "sum" of the count of systems that have a "_weight" or "0" and add the "sum" of the "_weights." Then divide the total of systems that have a weight by the "sum" of the "_weights."
This appears to work =0)
... View more
02-24-2020
07:56 AM
Sorry, I was away and thought this question was dead. When I get the IP list csv, I will try this today.
First question, We use Excel spreadsheet formatted as a CSV, does that affect the first step? Can a Excel spreadsheet formatted as a CSV be used instead of formatting a file with commas?
Second Question, If you have hundreds of CIDR notations, would have every CIDR block out in your SPL (Final SPL)???
Thanks! =0)
... View more
02-20-2020
01:09 PM
| inputlookup scanner_visibility.csv
| lookup visibility_blue.csv Acronym AS application local=t OUTPUTNEW "Risk Score"
| lookup server_dump.csv Acronym AS application local=t OUTPUTNEW "Authorization Removal Date"
| rename norton_assets as norton
| lookup servertypes_scanner_weights.csv servertype OUTPUTNEW norton_weight nessus_weight metasploit_weight nexpose_weight
| eval norton = if(like(norton, "%2019") AND relative_time(now(), "-30d@d") < strptime(norton,"%m/%d/%Y"), norton_weight, 0)
| eval nessus = if(like(nessus, "%2019") AND relative_time(now(), "-30d@d") < strptime(nessus,"%m/%d/%Y"), nessus_weight, 0)
| eval metasploit = if(like(metasploit, "%2019") AND relative_time(now(), "-30d@d") < strptime(metasploit,"%m/%d/%Y"), metasploit_weight,0)
| eval nexpose = if(like(nexpose, "%2019") AND relative_time(now(), "-30d@d") < strptime(nexpose,"%m/%d/%Y"), nexpose_weight, 0)
|eventstats count(ip) as total
sum(norton) as norton_count
sum(nessus) as nessus_count
sum(meteasploit) as metasploit_count
sum(nexpose) as nexpose_count
| eval norton_score = round (((norton_count / total)*100), 2)
| eval nessus_score = round (((nessus_count / total)*100), 2)
| eval metasploit_score = round (((metasploit_count / total)*100), 2)
| eval nexpose_score = round (((nexpose_count / total)*100), 2)
| eval date = strftime(now(), "%m/%d/%Y")
| eval _time = strptime(date, "%m/%d/%Y")
| fields _time date norton_score nessus_score metasploit_score nexpose_score
Above, is two abbreviated/dummy data CSV’s (visibility and scoring) and SPL that generates a risk score based on its visibility and scoring CSV’s. The code and everything works, however we want to get more accurate scores. If you look at the visibility CSV it has dates on when a particular system was seen by scanner and the servertypes_scanner_weights.csv will give it a weight. Those weights are then added up using “sum” and then divided by the total to get a % score. The issue is, some of our system devices cannot be seen by a few of the scanners. For example, the Cisco_ASA and Juniper_Switch cannot be seen by Meteasploit and Nexpose scanners, so they don’t get weights for those scanners and we increase the weights for the scanners that can see those two devices.
Any ideas in SPL how to exclude systems that can’t be seen by Metasploit and Nexpose scanners so they are not counted in the "sum" of the final score for each scanner?
... View more
02-12-2020
06:08 AM
Hey @to4kawa
When I copy paste into Splunk answers, it does not keep the formatting (if I try changing it, and hit submit -it changes again). I thought it would b easier to understand that way.
Cheers
... View more
02-12-2020
06:06 AM
Your Answer works! Thank you! =0)
A programmer at work said an easier way might be this ( I will mark your answer correct):
|inputlookup Nessus.csv
|eval Date = strptime(Date, "%m/%d/%Y")
| search Status="Ongoing"
| chart count by Date System
| eval Date = strftime(Date, "%m/%d/%Y")
... View more
02-11-2020
09:20 AM
I've been plugging away at this for a few days and I'm stuck =0(
Above is a lookup csv (insert dummy data) I have from Nessus. I am trying to use Splunk to create totals of vulnerability severity levels in two separate tables, one by organization and another by system.
Below is what I want to do, any ideas how to do this?
Lastly, I’m trying to use the newly created tables and make two time graphs on vulnerability severity level totals by organization/date and another graph by system/date. Scans are run everyday, so inevitability the totals will change over time, which is what I'm trying to capture with the time-charts.
Any ideas? Thanks!
... View more
02-05-2020
01:22 PM
We have a CSV with a field called application and another called IP. Within the field ip there are ip addresses and some ip addresses with CIDR notation. We have hundreds of field entries for applications and IP, below is smaller dummy data version of the list:
Application IP
sec_system 192.168.4.0/26
sec_system 192.168.1.0/25
sec_system 192.168.2.0/24
sec_system 192.168.3.0/24
internal_system 192.168.2.5
internal_system 192.168.3.50
internal_system 192.168.4.32
internal_system 192.168.1.4
win_system 192.168.1.50
win_system 192.168.1.3
Is there a way to match applcations/ips, with applications/ips with CIDR notations? (I've seen some people say you need to use the tranforms.conf or props.conf file, I can't use that file because I don't have access to it)
... View more
01-30-2020
09:29 AM
I think the union command can be used too?:
| union maxout=10000000
[ search index=union_1 | head 60000]
[ search index=union_1 | tail 40000]
https://docs.splunk.com/Documentation/Splunk/8.0.1/SearchReference/Union
... View more
01-29-2020
02:14 PM
I think this would work too! =0)
Thanks!
... View more
01-29-2020
02:13 PM
Okay, figured it out:
|inputlookup ip_dump.csv
| streamstats count("IP Address") as row_number
| where row_number <= 50000
| append [
|inputlookup ip_dump.csv
| streamstats count("IP Address") as row_number
| where row_number > 50000]
... View more
01-29-2020
12:38 PM
I am looking to run two searches on a CSV, one that looks at the first 35,000 results and another that looks at the last 35,000 results. The easiest way to solve the problem would be to increase the subsearch limit to 100,000, however, the admin is refusing to do so. Another way would be to chop the CSV in half and run the same search twice.
Is there a command or search in Splunk that can look at the first 35,000 results and another that looks at the last 35,000 results of a lookup?
Would using head and tail be the best way? (however, the total results may change every day/week)
Thanks!
... View more
12-31-2019
01:30 PM
That works! Thanks! =0)
I see that strptime returns NULL for all malformed values. NULL compared to any number returns false from your eval statement. That's why we used the "If(like)" statement, because we were not sure.
... View more
12-31-2019
11:03 AM
| eval nessus = if(like(nessus, "%2019") AND relative_time(now(), "-30d@d") < strptime(nessus,"%m/%d/%Y"), 1, 0)
Above is my current IF statement I use on a daily report. The IF statement looks at the nessus field that has time, checks for 2019 (but within 30days), and gives the the field nessus a 1 if it finds a date less than 30 days (or 0 when it's more than 30 days). BUT the only problem is it only looks at 2019. I can change it to 2020, but the scan results will be zero because there won't be any scans immediately in 2020 (tomorrow). Many of my current dashboard panels will be blank tomorrow if I change it to 2020.
Is there a way to change my IF statement SPL from "2019" to something I don't have to keep changing at the end of the year? (something that will look at 2019, 2020, 2021, etc)
Thanks!
... View more
12-31-2019
09:08 AM
Hi! Sorry for the late reply, I was out. I tried the following code:
| inputlookup scanner_visbility.csv
| eventstats count(eval(ip)) as total
count(eval(norton="1")) as norton_count
count(eval(tanium="1")) as tanium_count
count(eval(nessus="1")) as nessus_count
count(eval(metasploit="1")) as metasploit_count
count(eval(openvas="1")) as oprnvas_count
count(eval(nexpose="1")) as nexpose_count
| lookup servertypes_scanner_weights.csv servertype
| eval visibility = 0
| foreach count [ eval visibility = visibility + (<>_weight * 100 * <> / total) | fields - <> ]
| eval visibility = round(visibility, 2)
| fields visibility
It only shows the application name, not the visibility score.
application visibility
HHS_System
PPH_System
The solution I provided a few replies above does work, but I'm always looking for more efficient SPL.
... View more
12-20-2019
09:26 AM
| inputlookup scanner_visibility.csv
| lookup visibility_blue.csv Acronym AS application local=t OUTPUTNEW "Risk Score"
| lookup server_dump.csv Acronym AS application local=t OUTPUTNEW "Authorization Removal Date"
| rename norton_assets as norton
| lookup servertypes_scanner_weights.csv servertype OUTPUTNEW norton_weight tanium_weight nessus_weight metasploit_weight
openvas_weight nexpose_weight
| eval norton = if(like(norton, "%2019") AND relative_time(now(), "-30d@d") < strptime(norton,"%m/%d/%Y"), norton_weight, 0)
| eval tanium = if(like(tanium, "%2019") AND relative_time(now(), "-30d@d") < strptime(tanium,"%m/%d/%Y"), tanium_weight, 0)
| eval nessus = if(like(nessus, "%2019") AND relative_time(now(), "-30d@d") < strptime(nessus,"%m/%d/%Y"), nessus_weight, 0)
| eval metasploit = if(like(metasploit, "%2019") AND relative_time(now(), "-30d@d") < strptime(metasploit,"%m/%d/%Y"), metasploit_weight,0)
| eval openas = if(like(openvas, "%2019") AND relative_time(now(), "-30d@d") < strptime(openvas,"%m/%d/%Y"), openvas_weight, 0)
| eval nexpose = if(like(nexpose, "%2019") AND relative_time(now(), "-30d@d") < strptime(nexpose,"%m/%d/%Y"), nexpose_weight, 0)
|eventstats count(ip) as total
sum(norton) as norton_count
sum(tanium) as tanium_count
sum(nessus) as nessus_count
sum(meteasploit) as metasploit_count
sum(openvas) as openvas_count
sum(nexpose) as nexpose_count
count(eval(found="Yes")) as found_yes by system
| eval norton_score = round (((norton_count / total)*100), 2)
| eval tanium_score = round (((tanium_count / total)*100), 2)
| eval nessus_score = round (((nessus_count / total)*100), 2)
| eval metasploit_score = round (((metasploit_count / total)*100), 2)
| eval openvas_score = round (((openvas_count / total)*100), 2)
| eval nexpose_score = round (((nexpose_count / total)*100), 2)
| dedup system
| eval final_result = norton_score + tanium_score + nessus_score + metasploit_score + openvas_score + nexpose_score
| rename final_result as visbility
| fields system total visibility norton_count norton_score
I got with a programmer at work and he suggested to use an "| lookup" to loop over the weights in the servertypes_scanner_weights.csv and OUTPUT them as new fields. With that we reworked the "count"s as "sum"s and brought back the "eval" statements without the scoring. It worked!
| fields system total visibility norton_count norton_score
HHS_System 3 100% 3 100%
PPH_System 6 77% 3 100%
I know the above is true because I verified it manually. Thanks for the the help! =0)
... View more
12-17-2019
05:55 AM
The search runs with no errors, however the search does not return a visibility percentage, it's just blank.
Example:
| fields application servertype ip visibility
HHS_System workstation 192.168.1.50
HHS_System server 192.168.1.55
PPH_System workstation 192.168.2.50
PPH_System server 192.168.2.51
PPH_System router 192.168.1.1
Any ideas? =0(
... View more
12-16-2019
12:46 PM
1 Karma
1. | inputlookup scanner_visibility.csv
2. | lookup visibility_blue.csv Acronym AS application local=t OUTPUTNEW "Risk Score"
3. | lookup server_dump.csv Acronym AS application local=t OUTPUTNEW "Authorization Removal Date"
4. | rename norton_assets as norton
5. | eval norton = if(like(norton, "%2019") AND relative_time(now(), "-30d@d") < strptime(norton,"%m/%d/%Y"), 1, 0)
6. | eval tanium = if(like(tanium, "%2019") AND relative_time(now(), "-30d@d") < strptime(tanium,"%m/%d/%Y"), 1, 0)
7. | eval nessus = if(like(nessus, "%2019") AND relative_time(now(), "-30d@d") < strptime(nessus,"%m/%d/%Y"), 1, 0)
8. | eval metasploit = if(like(metasploit, "%2019") AND relative_time(now(), "-30d@d") < strptime(metasploit,"%m/%d/%Y"), 1, 0)
9. | eval openas = if(like(openvas, "%2019") AND relative_time(now(), "-30d@d") < strptime(openvas,"%m/%d/%Y"), 1, 0)
10. | eval nexpose = if(like(nexpose, "%2019") AND relative_time(now(), "-30d@d") < strptime(nexpose,"%m/%d/%Y"), 1, 0)
11. count(eval(norton="1")) as norton_count
12. count(eval(tanium="1")) as tanium_count
13. count(eval(nessus="1")) as nessus_count
14. count(eval(metasploit="1")) as metasploit_count
15. count(eval(openvas="1")) as oprnvas_count
16. count(eval(nexpose="1")) as nexpose_count
17. | lookup servertypes_scanner_weights.csv servertype
18. | eval visibility = 0
19. | foreach *_count [ eval visibility = visibility + (<<MATCHSEG>>_weight * 100 * <<FIELD>> / total) | fields - <<MATCHSEG>>_* ]
20. | eval visibility = round(visibility, 2)
21. | fields visibility
The code with the time I added looks at fields less than 30 days old ( it shouldn't affect the scoring). I am getting the following error:
Error in 'eval' command: The expression is malformed. An unexpected character is reached at '<<MATCHSEG>>_weight * 100 * field / total)'.
The search job has failed due to an error. You may be able view the job in the Job Inspector.
... View more
12-16-2019
09:15 AM
Hello,
Currently we have a scoring for our systems that counts each server, router, switch, firewall, workstation, etc on an equal playing field. We count norton as 40% (.40), tanium 25% (.25), nessus 10% (.10), openvas 5% (.05), and nexpose 10% (.10).
The scoring system SPL that works is something similar to below:
`comment("1 means that the device was found by a scanner in | inputlookup scanner_visbility.csv")`
| inputlookup scanner_visbility.csv
| eventstats count(eval(ip)) as total
count(eval(norton="1")) as norton_count
count(eval(tanium="1")) as tanium_count
count(eval(nessus="1")) as nessus_count
count(eval(metasploit="1")) as metasploit_count
count(eval(openvas="1")) as oprnvas_count
count(eval(nexpose="1")) as nexpose_count
| eval norton_result = round((((norton_count / total) * 100) * 0.40),2)
| eval tanium_result = round((((tanium_count / total) * 100) * 0.25),2)
| eval nessus_result = round((((nessus_count / total) * 100) * 0.10),2)
| eval metaspoit_result = round((((metasploit_count / total) * 100) * 0.10),2)
| eval openvas_result = round((((openvas_count / total) * 100) * 0.05),2)
| eval nexpose_result = round((((nexpose_count / total) * 100) * 0.10),2)
| eval visibility = norton_result + tanium_result + nessus_result + metasploit_result + openvas_result + nexpose_result
| fields visibility
What we want to do with the above code is to count each network device on a different scoring scale. For Example, for routers we want ONLY count Nessus, Metasploit, and Nexpose. We want to assign Nessus as 40%, Metasploit as 40%, and Nexpose as 10%.
How would I go about assigning a different scoring scale for certain devices?
... View more
10-23-2019
10:15 AM
Ahh, I see. The Splunk documentation needs to be more clear.
... View more
10-23-2019
06:09 AM
I am looking through the documentation on Splunk about trendlines and sma | ema | wma. In the documentation, it says you must pick an integer between 2 and 1000:
https://docs.splunk.com/Documentation/Splunk/7.3.2/SearchReference/Trendline
| trendline sma2(muffins) as trend
The documentation doesn't say what the period means, but you have to pick a number between 2 and 1000. I assuming "2" is one day, "3" is two days???
... View more
07-11-2019
08:05 AM
Also, this works slighly better because it has less XML? (The token is not set and unset again like my first example)
<panel depends="$panel_show3$">
<progress>
<condition match="'job.resultCount' > 0">
<set token="panel_show3">true</set>
</condition>
<condition>
<unset token="panel_show3"></unset>
</condition>
</progress>
... View more
07-11-2019
07:20 AM
It appears progress works, however what is the difference between the "progress" and "done" tag?
... View more
07-11-2019
07:18 AM
That works, THANKS1 😃
... View more
07-10-2019
08:20 AM
I am trying to hide panels that say, "No results found."
About a half dozen threads on Splunk Answers mention the below code to hide panels:
<panel depends="$panel_show$">
<condition match="'job.resultCount' > 0">
<set token="panel_show">true</set>
<unset token="panel_hide"></unset>
</condition>
<condition>
<set token="panel_hide">true</set>
<unset token="panel_show"></unset>
</condition>
</progress>
The issue is, the above XML hides any panel regardless of what it returns. Others in the half a dozen Splunk Answers threads mention the same issue. I created a simple dashboard to test the code:
<dashboard>
<label>Hide dashboard test</label>
<row>
<panel depends="$panel_show$">
<title>This panel has results</title>
<table>
<search>
<query>| makeresults
| eval a=1
| table a</query>
<earliest>0</earliest>
<latest></latest>
<progress>
<condition match="'job.resultCount' > 0">
<set token="panel_show">true</set>
<unset token="panel_hide"></unset>
</condition>
<condition>
<set token="panel_hide">true</set>
<unset token="panel_show"></unset>
</condition>
</progress>
</search>
<option name="drilldown">none</option>
</table>
</panel>
<panel depends="$panel_show$">
<title>This panel has "No results found"</title>
<table>
<search>
<query>| makeresults
| eval a=a+1
| table a</query>
<earliest>0</earliest>
<latest></latest>
<progress>
<condition match="'job.resultCount' > 0">
<set token="panel_show">true</set>
<unset token="panel_hide"></unset>
</condition>
<condition>
<set token="panel_hide">true</set>
<unset token="panel_show"></unset>
</condition>
</progress>
</search>
<option name="drilldown">none</option>
</table>
</panel>
</row>
</dashboard>
I also tried the code on clones of production dashboards and got the same results as well, all panels hide regardless of what it returns.
Has anyone figured this out? =(
Thanks!
... View more
- « Previous
- Next »
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-17-2021
02:46 PM
|
Karma given to
