Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About wingfieldj
wingfieldj
Explorer
Member since:
02-05-2015
17 hours ago
Community Statistics
| Posts | 9 |
| Solutions | 0 |
| Karma Given | 4 |
| Karma Received | 1 |
| Member Since | 02-05-2015 |
Activity Feed
- Karma Re: Track User Login/Logout exclude first 2 hours of the day (midnight-2am) for richgalloway. 16 hours ago
- Karma Re: Track User Login/Logout exclude first 2 hours of the day (midnight-2am) for richgalloway. 17 hours ago
- Posted Re: Track User Login/Logout exclude first 2 hours of the day (midnight-2am) on Splunk Search. 17 hours ago
- Karma Re: Track User Login/Logout exclude first 2 hours of the day (midnight-2am) for PickleRick. 17 hours ago
- Karma Re: Track User Login/Logout exclude first 2 hours of the day (midnight-2am) for richgalloway. yesterday
- Posted Re: Track User Login/Logout exclude first 2 hours of the day (midnight-2am) on Splunk Search. yesterday
- Posted Track User Login/Logout exclude first 2 hours of the day (midnight-2am) on Splunk Search. yesterday
- Got Karma for Re: Why tcpdump says Syslog traffic from Cisco ASA is reaching the interface, but nothing shows up when searching the index?. 06-05-2020 12:47 AM
- Posted Re: monitoring windows services on Monitoring Splunk. 10-22-2019 11:17 AM
- Posted monitoring windows services on Monitoring Splunk. 10-22-2019 09:40 AM
- Tagged monitoring windows services on Monitoring Splunk. 10-22-2019 09:40 AM
- Posted Re: How to search syslog data to find if 3 IP sources hit a common destination IP address in a 48 hour period? on Splunk Search. 08-15-2016 01:40 PM
- Posted Re: How to search syslog data to find if 3 IP sources hit a common destination IP address in a 48 hour period? on Splunk Search. 08-15-2016 06:55 AM
- Posted How to search syslog data to find if 3 IP sources hit a common destination IP address in a 48 hour period? on Splunk Search. 07-28-2016 12:50 PM
- Tagged How to search syslog data to find if 3 IP sources hit a common destination IP address in a 48 hour period? on Splunk Search. 07-28-2016 12:50 PM
- Tagged How to search syslog data to find if 3 IP sources hit a common destination IP address in a 48 hour period? on Splunk Search. 07-28-2016 12:50 PM
- Tagged How to search syslog data to find if 3 IP sources hit a common destination IP address in a 48 hour period? on Splunk Search. 07-28-2016 12:50 PM
- Posted Re: Why tcpdump says Syslog traffic from Cisco ASA is reaching the interface, but nothing shows up when searching the index? on Getting Data In. 02-12-2015 07:54 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 |
17 hours ago
the eval was definitely the magic...thanks to both | eval date_hour=strftime(_time, "%H")
... View more
yesterday
Appreciate the quick assistance Adding the Where statement and change the Date to Date Range has no results..in Fast mode or Verbose.
... View more
yesterday
index=endpoint_ms_winevents sourcetype=XmlWinEventLog user=TESTER EventID=4624 OR EventID=4634 | stats earliest_time(_time) AS Login, latest_time(_time) AS Shutdown by user src_ip | convert ctime(Login) ctime(Shutdown) | table Login Shutdown src_ip user | sort Login 1) Having to run this one day at a time...with DATE and Time Range set 02:00:00 using earliest=@d+2h always calculates for today... Not able to use earliest set over a range of days... 2) Windows Eventlog are chatty for login/logout; searches over 3m events a day. Any other filtering you suggest? Output needed is user, Login, Logout and src_ip ...(on VPN or at office)
... View more
10-22-2019
11:17 AM
I do not think i have the input yet. i am hoping that the Splunk add-on for MS Windows will help with this.
... View more
10-22-2019
09:40 AM
how do you monitor a windows server service that is set to start at boot time and flag it if it stops or did not start? For instance monitoring the MSExchangeFrontEndTransport service every 20 minutes and alert if it is not running.
... View more
- Tags:
- splunk-enterprise
08-15-2016
01:40 PM
yes src_ip and dst_ip are in the same event
src_ip=111.111.111.111 OR src_ip=222.222.222.222 OR src_ip=333.333.333 type=TRAFFIC | top 10 dst_ip
results in 10 ip addresses...and clicking on the ip address will show the events for each of the addresses in the search and some additional addresses...so that is almost it ( not exclusive to the three listed ips)
... View more
08-15-2016
06:55 AM
thanks for your responses....
so new to complex searches...
Restating the scenario: Using the firewall logs, I am trying to find common website/destination IP that 3 known users have in common...due to bad guy activity on the src_IP, like malware
So I could set a custom filter for the block of time...to remove that complexity.
I tried the following - no results
src_ip=111.111.111.111 OR src_ip=222.222.222.222 OR src_ip=333.333.333 type=TRAFFIC | bucket span=2d _time | stats dc(src_ip) as ips by dest_ip
The following had 12000 events no matches...But I know they all three had gone to the same dst_ip in the last 2 hours...
src_ip=111.111.111.111 OR src_ip=222.222.222.222 OR src_ip=333.333.333 type=TRAFFIC | bucket span=120m _time | stats dc(src_ip) as ips by dest_ip
I tried the following custom time set - no results
src_ip=111.111.111.111 OR src_ip=222.222.222.222 OR src_ip=333.333.333 type=TRAFFIC | stats dc(src_ip) as ips by dest_ip
I tried the following custom time set - Error in Stats command
(ip=111.111.111.111 OR src_ip=222.222.222.222 OR src_ip=333.333.333) type=TRAFFIC | stats count(src_ip) as COUNT dst_ip src_ip
The following with custom time set results in 10085
(ip=111.111.111.111 OR src_ip=222.222.222.222 OR src_ip=333.333.333) type=TRAFFIC| stats count(src_ip) as COUNT
... View more
07-28-2016
12:50 PM
Using syslog data, how do I find if 3 systems go to a common webpage in a 48 hour period?
I have 3 IP sources with OR between them in a search...
Do you pipe this to associate and find the destination IP addresses in common?
Rare values do not seem to work...
Jim W.
... View more
02-12-2015
07:54 AM
1 Karma
The default search looks at logs posted to 'Main' Index. If you put the ASA logs into another index it does not show up. Changes to what index is used is under Access Control/Roles
change each account type, for example User
check under "Indexes searched by default"
add other logs as needed
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
17 hours ago
|
