Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About pgort
pgort
New Member
Member since:
06-23-2016
03-29-2023
Community Statistics
| Posts | 4 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 0 |
| Member Since | 06-23-2016 |
Activity Feed
- Posted Why is regex not returning any results when used in a tstats search? on Splunk Search. 01-04-2017 12:09 PM
- Tagged Why is regex not returning any results when used in a tstats search? on Splunk Search. 01-04-2017 12:09 PM
- Tagged Why is regex not returning any results when used in a tstats search? on Splunk Search. 01-04-2017 12:09 PM
- Tagged Why is regex not returning any results when used in a tstats search? on Splunk Search. 01-04-2017 12:09 PM
- Tagged Why is regex not returning any results when used in a tstats search? on Splunk Search. 01-04-2017 12:09 PM
- Posted Re: Is there an easy way to create a drilldown for an area chart? on Splunk Search. 09-19-2016 02:05 PM
- Posted Is there an easy way to create a drilldown for an area chart? on Splunk Search. 09-15-2016 12:20 PM
- Tagged Is there an easy way to create a drilldown for an area chart? on Splunk Search. 09-15-2016 12:20 PM
- Tagged Is there an easy way to create a drilldown for an area chart? on Splunk Search. 09-15-2016 12:20 PM
- Tagged Is there an easy way to create a drilldown for an area chart? on Splunk Search. 09-15-2016 12:20 PM
- Tagged Is there an easy way to create a drilldown for an area chart? on Splunk Search. 09-15-2016 12:20 PM
- Posted Is the virustotal checker App for Splunk supported for Splunk Cloud? on All Apps and Add-ons. 06-23-2016 12:18 PM
- Tagged Is the virustotal checker App for Splunk supported for Splunk Cloud? on All Apps and Add-ons. 06-23-2016 12:18 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 |
01-04-2017
12:09 PM
I have a correlation search that triggers on users accessing too many URLs categorized as unknown.
| tstats allow_old_summaries=true count(Web.user) as "Count" from datamodel=Web where nodename=Web.Blocked Web.url_category="unknown" Web.rule!="Allow_Public_IP" AND Web.src_zone="TRUST" by "Web.user"
| rename "Web.user" as "user"
| regex Web.url !="\d+\.\d+\.\d+\.\d+\/$"
| where 'Count'>100
| regex Web.url !="\d+\.\d+\.\d+\.\d+\/$" is the problem line. It does not filter out IP addresses (or anything for that matter). Right now, Cisco Spark traffic is cluttering our URL traffic logs as the "url" is an IP address with a trailing / rather than a DNS name.
I need the regex to ignore logs of just an IP followed by a slash: "10.0.0.1/" but still return all other values like: "10.0.0.1/index.html" or "google.com". I can't tell if I'm calling regex correctly for tstats or how regex sees the value of Web.url to know if I can use the $ at the end.
... View more
09-19-2016
02:05 PM
So it would be as simple as adding
<link>
<![CDATA[
/app/SplunkEnterpriseSecuritySuite/search?q=| datamodel Network_Traffic Allowed_Traffic search | search (All_Traffic.dest_zone="outbound") AND ("All_Traffic.app:subcategory"="file-sharing" OR "All_Traffic.app:subcategory"="database") AND NOT (All_Traffic.dest_ip=10.0.0.0/8 OR All_Traffic.dest_ip=172.16.0.0/12 OR All_Traffic.dest_ip=192.168.0.0/16 OR All_Traffic.dest_ip=169.254.0.0/16)
]]>
</link>
</drilldown>
and then also passing the earliest/latest time parameter?
... View more
09-15-2016
12:20 PM
I have a dashboard panel that shows the sum of outbound data where I want to click on a value and display the raw events making up that data point.
The search is:
| tstats allow_old_summaries=t sum(All_Traffic.bytes_out) AS sumSent FROM datamodel="Network_Traffic" WHERE nodename="All_Traffic",("All_Traffic.app:subcategory"="file-sharing" OR "All_Traffic.app:subcategory"="database"),(All_Traffic.action="allow" OR All_Traffic.action="alert"),(All_Traffic.dest_zone="outbound"),(dest_ip!=10.0.0.0/8 OR dest_ip!=172.16.0.0/12 OR dest_ip!=192.168.0.0/16 OR dest_ip!=169.254.0.0/16) groupby _time All_Traffic.app span=10m | eval megabytes=round(((sumSent/1024)/1024),0) | timechart span=10m values(megabytes) AS MB by All_Traffic.app
Is there anything that will convert that to a Simple XML search string?
ex. Adding
<drilldown target="_blank">
<link>
<![CDATA[
/app/SplunkEnterpriseSecuritySuite/search?q=search%20$click.value2$
]]>
</link>
</drilldown>
opens a new search, but currently only passes the average of that data point on the graph. I don't understand the syntax to convert my tstats search into XML. It seems like there should be a better way to do this.
... View more
06-23-2016
12:18 PM
It says platform independent, does that mean it can be installed to the cloud as well?
... View more
- Tags:
- Virustotal Checker
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
03-29-2023
03:32 PM
|
