Activity Feed
- Got Karma for How do I search from a lookup table and match when part of a string from an events' field matches a value in a lookup table?. 11-03-2021 11:38 AM
- Got Karma for Re: How do I search from a lookup table and match when part of a string from an events' field matches a value in a lookup table?. 04-14-2021 12:01 PM
- Karma Re: How to Detect Pass the Hash for to4kawa. 07-17-2020 07:43 AM
- Karma Re: In a search, how would one count the number of times a value appears in a defined time segment over a longer period of time? for richgalloway. 06-05-2020 12:50 AM
- Karma Re: How do I search from a lookup table and match when part of a string from an events' field matches a value in a lookup table? for starcher. 06-05-2020 12:50 AM
- Karma Re: How do I search from a lookup table and match when part of a string from an events' field matches a value in a lookup table? for pkeenan87. 06-05-2020 12:50 AM
- Karma Re: How do you exclude and format unique specific fields from multivalued fields to be used in a subsearch? for woodcock. 06-05-2020 12:50 AM
- Got Karma for Re: How do I search from a lookup table and match when part of a string from an events' field matches a value in a lookup table?. 06-05-2020 12:50 AM
- Karma Re: How to configure forwarding on an amazone EC2 server linux ? for nkwong_splunk. 06-05-2020 12:47 AM
- Posted Re: Having issues reporting information from inner searches in a nested query on Splunk Search. 04-08-2019 10:47 AM
- Posted Re: Having issues reporting information from inner searches in a nested query on Splunk Search. 04-08-2019 10:43 AM
- Posted Having issues reporting information from inner searches in a nested query on Splunk Search. 04-08-2019 10:04 AM
- Tagged Having issues reporting information from inner searches in a nested query on Splunk Search. 04-08-2019 10:04 AM
- Tagged Having issues reporting information from inner searches in a nested query on Splunk Search. 04-08-2019 10:04 AM
- Tagged Having issues reporting information from inner searches in a nested query on Splunk Search. 04-08-2019 10:04 AM
- Tagged Having issues reporting information from inner searches in a nested query on Splunk Search. 04-08-2019 10:04 AM
- Tagged Having issues reporting information from inner searches in a nested query on Splunk Search. 04-08-2019 10:04 AM
- Posted Re: How do I search from a lookup table and match when part of a string from an events' field matches a value in a lookup table? on Splunk Search. 03-11-2019 05:12 AM
- Posted Re: How do I search from a lookup table and match when part of a string from an events' field matches a value in a lookup table? on Splunk Search. 03-08-2019 12:33 PM
- Posted Re: How do I search from a lookup table and match when part of a string from an events' field matches a value in a lookup table? on Splunk Search. 03-08-2019 05:29 AM
Topics I've Started
Subject | Karma | Author | Latest Post |
---|---|---|---|
0 | |||
1 | |||
0 | |||
0 |
04-08-2019
10:47 AM
Hello! This makes sense, however, the change does not affect the output. Regardless, I appreciate your answer!
... View more
04-08-2019
10:43 AM
Hello! Thank you for your help!
The intel sourcetype only generates a list of domains ( clientIP is from the DNS logs). The domain names are then compared to the DNS logs with the field queried_domain which explains the format command on line 5 and the renaming on line 4 of my original posted trouble query. This makes it so that in the DNS portion of my trouble query does something like this: queried_domain=domaina.com AND queried_domain-domianb.com and so on. Matching events in the DNS logs contain clientIP .
I've also considered the eval method but I'm unsure how to actually implement that. I've seen people online do something like |eval something = [search ]
Thanks!
... View more
04-08-2019
10:04 AM
Hello all,
I will try to explain my issue as concisely as possible. I suspect the issue is attributed to me misunderstanding the usage of fields and return .
The use case is using a saved search to resolve an IP to a user who queried a specific domain.
Below is the trouble query:
| savedsearch IPresolver src=$clientIP$
[ search sourcetype=DNSlogs (some time range B)
[ search sourcetype=intel (some time range C)
| stats values(intelstuff) as queried_domain
| format]
| return clientIP queried_domain _time]
| table user queried_domain _time
where IPresolver looks like:
basesearch src=$src$ (some time range A)
|dedup user
|fields user
and my resulting table looks like:
user queried_domain _time
johndoe <blank> <timestamp from events from the saved search>
I'm having a hard time understanding why I'm able to return clientIP for the purpose of populating a savedsearch command but I'm unable to use queried_domain for reporting purposes in my outer most query. Also, I'm unsure how to report the correct _time as it should be the timestamp from the DNS log events.
I should also note that both inner queries work as expected and this was validated through the following search:
sourcetype=DNS logs (some time range B)
[search sourcetype=intel (some time range C)
|stats values(intelstuff) as queried_domain
|format]
|table clientIP queried_domain _time
I'd greatly appreciate some insight as to why this implementation doesn't work (I checked job inspector and it did not contain useful information).
Thank you!
... View more
03-11-2019
05:12 AM
This helped clarify a lot! Thank you for linking that!
... View more
03-08-2019
12:33 PM
2 Karma
For those who stumble on to this question, this solution ended up working as expected:
base search
[| inputlookup mytable
| rename domains AS queried_domain ]
| sort -_time
| table _time request_ip queried_domain
Knowing when to use inputlookup and lookup was the confusion here.
... View more
03-08-2019
05:29 AM
Ohhhh okay, now I'm following.. Thank you for clarifying!
... View more
03-06-2019
01:18 PM
Could you see any other implementation without changing the columns of the lookup? It's generated by a dashboard not owned by me (where a user inputs just a domain and it's added into that lookup).
Also, would you mind explaining how |where isnotnull(domain_match) would return events from the base search that would match when a csv value partially matches a field from those events?
Thank you!
... View more
03-06-2019
12:50 PM
1 Karma
Hi all,
I know many questions exist similar to this one but none are useful for my particular use case. Please if somebody could advise me on how to do this, I'd appreciate it!
I have a lookup table(mytable) that looks like this. (note, I can add or remove the asterisk easily - i'm just unsure if it'll be useful or not later on
domains
*domain.com
*someotherdomain.com
I created the following search but I'm not getting expected result, likely because I'm searching for exact matches rather than partial. (a queried_domain value might look like queried_domain=example.domain.com ) which explains why I tried using asterisk as a wildcard.
base search
| lookup mytable domains AS queried_domain OUTPUT domains
| search domains=*
| sort -_time
| table _time request_ip queried_domain
Can anyone please tell me how I'd go about doing this?
Thank you!
... View more
02-13-2019
07:16 AM
Brilliant! This works as expected! I'll need to tinker with the regex to also omit IP addresses with specified ports such as 123.123.123.2:8080 but once I add this, the provided answer will do exactly what I'm looking for.
Thank you so much!
... View more
02-11-2019
12:29 PM
Hello all,
I'm having some trouble formatting and dealing with multivalued fields.
My use case is as follows:
I have sourcetype-A that returns known malicious indicators (through multi-valued fields)
I have sourcetype-B that has DNS query logs from hosts
I'd like to make a search where I compile a list of "known malicious" domains from sourcetype-A, and in a subsearch (with soucetype-B being the main base search), compare all queries against the list created from the subsearch to see if a host queried a "malicious domain" (different index from sourcetype-A)
A sample log for sourcetype A looks like this:
Field Values
Event 1 indicator x.xxx.x.xx
hash
someDomain.com
http://DomainA.com
supermalicious.com
Event 2 indicator someDomain.com
www.domainA.com
someEmailAddress@domain.com
http://helpmepls.com
When I use | eval indicator=mvfilter(match(indicator, "\.")) and |stats values(indicator) , I receive somewhat of expected results (hashes are now gone and values are deduped across all events), but I still have the issue of having to exclude everything else that's not a domain or a URL.
I was thinking of using something like a URL parser app for Splunk to help with the formatting issues, but for that, I don't think I'm able to get by using |stats values(indicators)
Expected results:
someDomain.com
domainA.com
supermalicious.com
helpmepls.com
I'd appreciate if someone could point me in the correct direction or tell me if this is even possible through Splunk.
Thanks!
... View more
01-18-2019
06:16 AM
Replacing this alone didn't fix the search, however, with streamstats I'm able to do a work around now! Adding streamstats to my search yielded me Time and users but with some duplicates, however, counting by these duplicates and user I'm able to yield exactly what I'm looking for. Thank you so much!
... View more
01-16-2019
12:50 PM
Hi everybody,
The search I'm trying to create is to alert possible brute force attacks using WindowEventLogs.
I'd like to have a search (alert) that runs every hour and splits that hour into 5 minute time blocks. For each of these time blocks, I'd like to have some logic to output to a table whenever there are "X" amount of failed attempts (or more) in ANY of the 12 five minute blocks within that hour.
I Imagine the results to look like this (X here is hypothetically 5):
User Time Count
Bob 12:00 5
Alice 12:25 6
Steve 12:55 10
The current search I have written is:
basesearch sourcetype="WindowsEventLogs" eventCode=4265 etc. (with time picker set at "last 60minutes" )
| dedup _time user
| bin _time span=5m
| eventstats count by user
| search count > 5
| table user, time, count
The result of this query yields me duplicates and an overall count of how many times a user failed a logon in the whole 60 minutes time range, rather than the count of how many times user fails a login in each of the 5min intervals.
I've searched all over and could appreciate some help! Thank you.
... View more