Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About rwmilligan
rwmilligan
Explorer
Member since:
11-18-2015
06-05-2020
Community Statistics
| Posts | 11 |
| Solutions | 0 |
| Karma Given | 1 |
| Karma Received | 2 |
| Member Since | 11-18-2015 |
Activity Feed
- Karma Re: How do I look for the existence of one field within another field? for elliotproebstel. 06-05-2020 12:49 AM
- Got Karma for How to search for a threshold of failed logins followed by a successful login from a user?. 06-05-2020 12:48 AM
- Got Karma for Re: Tracking failed logins followed by successful logins using the transaction command, how can I make the search more efficient?. 06-05-2020 12:47 AM
- Posted Re: How do I search for low counts of specific user logons per host? on Splunk Search. 08-27-2018 06:43 AM
- Posted How do I search for low counts of specific user logons per host? on Splunk Search. 08-24-2018 07:49 AM
- Tagged How do I search for low counts of specific user logons per host? on Splunk Search. 08-24-2018 07:49 AM
- Tagged How do I search for low counts of specific user logons per host? on Splunk Search. 08-24-2018 07:49 AM
- Posted How do I look for the existence of one field within another field? on Splunk Search. 05-16-2018 06:42 AM
- Tagged How do I look for the existence of one field within another field? on Splunk Search. 05-16-2018 06:42 AM
- Posted Re: How to search for a threshold of failed logins followed by a successful login from a user? on Splunk Search. 04-27-2016 02:00 PM
- Posted How to search for a threshold of failed logins followed by a successful login from a user? on Splunk Search. 04-27-2016 12:23 PM
- Tagged How to search for a threshold of failed logins followed by a successful login from a user? on Splunk Search. 04-27-2016 12:23 PM
- Tagged How to search for a threshold of failed logins followed by a successful login from a user? on Splunk Search. 04-27-2016 12:23 PM
- Tagged How to search for a threshold of failed logins followed by a successful login from a user? on Splunk Search. 04-27-2016 12:23 PM
- Tagged How to search for a threshold of failed logins followed by a successful login from a user? on Splunk Search. 04-27-2016 12:23 PM
- Tagged How to search for a threshold of failed logins followed by a successful login from a user? on Splunk Search. 04-27-2016 12:23 PM
- Posted Re: Tracking failed logins followed by successful logins using the transaction command, how can I make the search more efficient? on Splunk Search. 04-27-2016 08:51 AM
- Posted Re: What do I need to change to make this regex work in Splunk? on Splunk Search. 12-07-2015 12:14 PM
- Posted Re: What do I need to change to make this regex work in Splunk? on Splunk Search. 12-07-2015 10:33 AM
- Posted Re: What do I need to change to make this regex work in Splunk? on Splunk Search. 12-04-2015 01:26 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 1 | |||
| 0 |
08-27-2018
06:43 AM
Not by user... I would like it to show ANY user with low counts on any machine. I'll try the "rare user" command listed above, see how that works out for me.
... View more
08-24-2018
07:49 AM
I'm trying to do some least common occurance hunting in our environment, and would like to see if I can make a search that will show me hosts with low counts of user logons (say, less than 5?).
So, if my machine had me log in 30 times, and a pc tech once, even though it's legit it would show the pc tech on my machine in the search.
... View more
05-16-2018
06:42 AM
For example, if I have a proxy log, and it shows User=A, then In the URL field we have "http://somesite.com/parameter=A", I want it to be able to pull up those logs.
... View more
- Tags:
- splunk
04-27-2016
02:00 PM
Maybe I'm misunderstanding how these functions work, but would that not just try to find 5 events of a failed logon followed by a successful logon? How doesthe search eventcount differentiate from the startswith and endswith out of the transaction getting piped into it? Either way, it doesn't seem to be working for me.
... View more
04-27-2016
12:23 PM
1 Karma
I found another thread where the user was trying something similar, with this string:
index= | transaction src_ip,user startswith="Login failed " endswith="Login succeeded" maxspan=15m maxpause=8h | stats avg(duration)
Which doesn't go off of any kind of threshold, so a single logon failure followed by a success would be shown. It was suggested, but not exactly how, to use eventstats to create a kind of count for the "Login failed"s so that a threshold could be specified, but the syntax wasn't covered, and I'm still too new to Splunk to get it right. I've been playing around with it a little bit, and was trying something like:
index= | transaction src_ip,user startswith=["Login failed" | eventstats count(src_ip) as count | where count > 10] endswith="Login succeeded" maxspan=30m
But it gives an error, which I kind of expected. I just don't understand the Splunk functions, syntax, and piping well enough to know how to get that startswith = . Do you have to run eventstats first and pipe that into the transaction to use the 15 failed logons in the transaction instead of "Login success", or can you do some kind of subsearch like I was trying with a different syntax?
... View more
04-27-2016
08:51 AM
1 Karma
I'm attempting to do something similar to what you've suggested with using eventstats to set a threshold on failed logons, but I don't understand enough about Splunk syntax to get it to work. The thing I "tried" to do, that obviously errored out is index= | transaction src_ip,user startswith=["Login failed" | eventstats count(src_ip) as count | where count > 10] endswith="Login succeeded" maxspan=30m . How and where would I insert eventstats to count the 10 failed logons as the transaction start?
... View more
12-07-2015
12:14 PM
If I do that I get no results returned, but I just figured out the problem. It's the way the proxy logs are stored in Splunk. Which is a single line that is more or less a hash style data structure, with metadata tags and values. So, when I'm searching the regex like that, the ^ and $ characters at the beginning and end of the regex, while good for regex filtering on the proxy, break the Splunk searches since they show up in line surrounded by other garbage.
... View more
12-07-2015
10:33 AM
I want to be able to search the proxy logs for any and all instances of the regex. If there's a log with a URL matching that regex, I want to see it when I run the search.
... View more
12-04-2015
01:26 PM
Ok, it won't let me revise it apparently, here's the URL, with the disclaimer that it was a live Angler EK link a week or so back. I've defanged it for safety reasons, so you'll have to fix the http and .com parts to check it properly. hxxp://nosprivsliikeradan.pfgfoxriver-localguide2[.]com/boards/viewforum.php?f=5x827&sid=7q0as14.5i4x8
... View more
12-04-2015
01:22 PM
I'll edit in a sample URL... I HAVE checked it at regex101.com, and it checks out there. But it fails in Splunk.
... View more
12-04-2015
12:25 PM
I've been fighting with and researching Splunk regex for the past month, and I just cannot seem to get the PCREs being produced by another source to work for me for searching proxy logs in Splunk. I'm assuming there are some syntaxual differences, possibly some missing features, but I haven't been able to find any solid documentation on what those may be.
Can anyone help me get the below working properly in a Splunk search? I've been trying variations on vendor = proxyname | regex = "<expressioin>" but it doesn't work.
^http:\/\/(?!www|forums?)(?:[^\.]+\.[^\.\x2f]+|[^\.]+\.[^\.]+\.(?:[^\.\x2f]+?|[^\.]+\.[^\.]+))\/[^\x3f]+\/(?:index\.php\?PHPSESSID=[^&]+?&action=(?!dlattach)[^&]+?&?|view(?:forum|topic)\.php\?[a-z]=[^&]{1,5}&[a-z]{1,3}=(?![0-9a-f]{32})[0-9a-z\._-]{13,})&?$
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:04 AM
|
