Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About utsav45
utsav45
Explorer
Member since:
10-02-2018
06-05-2020
Community Statistics
| Posts | 9 |
| Solutions | 1 |
| Karma Given | 0 |
| Karma Received | 0 |
| Member Since | 10-02-2018 |
Activity Feed
- Posted Re: how to create bucket over a period of 3 days? on Deployment Architecture. 10-30-2018 07:06 PM
- Posted Re: how to create bucket over a period of 3 days? on Deployment Architecture. 10-30-2018 05:10 PM
- Posted how to create bucket over a period of 3 days? on Deployment Architecture. 10-29-2018 09:54 PM
- Tagged how to create bucket over a period of 3 days? on Deployment Architecture. 10-29-2018 09:54 PM
- Posted Re: How to whitelist combination of fields using lookup table? on Getting Data In. 10-14-2018 05:42 PM
- Posted Re: How to whitelist combination of fields using lookup table? on Getting Data In. 10-08-2018 07:18 PM
- Posted How to whitelist combination of fields using lookup table? on Getting Data In. 10-04-2018 06:46 PM
- Tagged How to whitelist combination of fields using lookup table? on Getting Data In. 10-04-2018 06:46 PM
- Posted Re: Windows password reset/creation: Will you help me create a search that returns Event "A" and NOT Event "B" within a given period of time? on Splunk Search. 10-04-2018 04:06 PM
- Posted Re: Windows password reset/creation: Will you help me create a search that returns Event "A" and NOT Event "B" within a given period of time? on Splunk Search. 10-02-2018 06:01 PM
- Posted Windows password reset/creation: Will you help me create a search that returns Event "A" and NOT Event "B" within a given period of time? on Splunk Search. 10-02-2018 04:20 PM
- Tagged Windows password reset/creation: Will you help me create a search that returns Event "A" and NOT Event "B" within a given period of time? on Splunk Search. 10-02-2018 04:20 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 |
10-30-2018
07:06 PM
Below query seems to be giving me answer nearly what we after
index=proxy logs url=* category="malware" | bucket _time span=24h | stats count by _time,user
Results are something like this when I run for 2 days:
_time user count
2018-10-24 10:00 A 1
2018-10-24 10:00 B 11
2018-10-24 10:00 C 3
2018-10-25 10:00 A 1
2018-10-25 10:00 D 9
2018-10-25 10:00 E 10
Now, as we can see that user A has appeared twice in the search, is there a way to display the results only for user A and filter out rest?
Thanks
... View more
10-30-2018
05:10 PM
Thanks for your reply.
Not sure if I aksed question correctly. Our aim is to get 3 bins when we execute splunk search and if it matches the criteria.
Cheers.
... View more
10-29-2018
09:54 PM
Hello Folks,
We're trying to set up an alert for user contacting malware websites constantly. For eg user A attempts to access "malware" category website on day 1, day 2 and day 3, if it has happened on all 3 days then should be flagged.
Base search:
index=proxy url=* category="malware"
Tried to add below after the base seach but doesn't seem to be creating 3 buckets.
| bin _time bins=3 | stats count by _time
Any help or pointers?
Thanks in advance!!
... View more
- Tags:
- splunk-cloud
10-14-2018
05:42 PM
Thanks Mate,
I had to add lookup definitions for newly created lookup table. After which I was able to achieve the requirement using the query you suggested.
Thanks heaps!!
... View more
10-08-2018
07:18 PM
Hi Mate,
Thanks for your reply.
I tried to use lookup command instead of inputlookup and surprisingly it gives me an error "Error in 'lookup' command: Lookups: The lookup table 'utsavtest.csv' does not exist or is not available."
When I try to use the same lookup table using inputlookup command (the one I mentioned previously) then it doesn't provide the error.
I believe permissions should work the same for both the commands. Not sure
I've attached screenshots of lookup table, error while running splunk search and lookup table permissions on below one drive URL.
Thanks
... View more
10-04-2018
06:46 PM
Hello Experts,
We've got an alert which gets triggered if service is installed on the windows host.
index=winevents sourcetype="WinEventLog:System" EventCode=7045
We want to whitelist combination of service and host. For example if service A is installed on host A then it should be fine. Eventually, list of host-service would grow so we would like to use lookup table.
We have whitelisted single field (src in below example) by creating the lookup table and adding below line in the condition and it works perfectly alright.
| join type=left src [ | inputlookup whitelist.csv | search search_name=my search name exclusion_field=src | rename exclusion_value AS src | eval whitelisted="true"]
| where NOT whitelisted="true"
I tried adding multiple fields in above line but doesn't seem to be working.
What is the best way to address the requirement?
Thanks
... View more
- Tags:
- splunk-cloud
10-04-2018
04:06 PM
Hi @vupham,
Yeah that makes sense. I will definitely consider your suggestion.
Thanks a lot.
... View more
10-02-2018
06:01 PM
I believe below query seems to be serving my purpose. Can someone please validate if it's as per best practice and not resource intensive?
index=winevents sourcetype="WinEventLog:Security" EventCode=4724 OR EventCode=627 OR EventCode=628 OR EventCode=4723 user="_s*" NOT [search sourcetype="WinEventLog:Security" EventCode=4720 OR EventCode=624 user="_s*" | fields user]
Thanks
... View more
10-02-2018
04:20 PM
Hi All,
We've set up an alert to flag AD Service account passwords are reset. Below is the alert condition:
index=winevents sourcetype="WinEventLog:Security" EventCode=4724 OR EventCode=627 OR EventCode=628 OR EventCode=4723 user="_s*"
| fields _time member_id user EventCode EventCodeDescription Message
| eval intelSubject="ad_service_account_password_reset " + member_id
| eval intelSource="Security Monitoring"
| rename member_id AS "Actioning User" user AS "Target User"
| table _time intelSubject intelSource "Actioning User" "Target User" EventCode EventCodeDescription Message
However, we're seeing a lot of false positives. When new service accounts are created, we see the subsequent password reset event.
Hence, we would like to tune the alert in such a way that service account password reset should only get triggered if the same user account hasn't been created within last hour of the password reset event.
I've tried to use options listed out in below thread but no joy.
https://answers.splunk.com/answers/38318/search-for-event-a-and-not-event-b-within-a-given-period-of-time.html?utm_source=typeahead&utm_medium=newquestion&utm_campaign=no_votes_sort_relev
Any pointers or help much appreciated!!
Thanks
... View more
- Tags:
- splunk-cloud
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:04 AM
|
