Activity Feed
- Karma Re: How to format timechart or stats visualization of failed login account names by time? for AlyssaR. 06-05-2020 12:47 AM
- Karma Re: How to format timechart or stats visualization of failed login account names by time? for strive. 06-05-2020 12:47 AM
- Karma Re: Help understanding Google Maps results for martin_mueller. 06-05-2020 12:47 AM
- Karma Re: How to set up a summary index? for somesoni2. 06-05-2020 12:47 AM
- Karma Re: Sorting the stats values results by count, and include count in results for martin_mueller. 06-05-2020 12:47 AM
- Karma Re: Sorting the stats values results by count, and include count in results for martin_mueller. 06-05-2020 12:47 AM
- Karma Re: Sorting the stats values results by count, and include count in results for martin_mueller. 06-05-2020 12:47 AM
- Got Karma for How to format timechart or stats visualization of failed login account names by time?. 06-05-2020 12:47 AM
- Got Karma for Re: How to format timechart or stats visualization of failed login account names by time?. 06-05-2020 12:47 AM
- Got Karma for Sorting the stats values results by count, and include count in results. 06-05-2020 12:47 AM
- Karma Re: List of top client IP's each with their most common user agent for somesoni2. 06-05-2020 12:46 AM
- Karma Re: Show only NON distinct values for a given field. for somesoni2. 06-05-2020 12:46 AM
- Karma Re: what the Referer URL field actually is? for bluger_splunk. 06-05-2020 12:46 AM
- Got Karma for Show only NON distinct values for a given field.. 06-05-2020 12:46 AM
- Got Karma for Re: Show only NON distinct values for a given field.. 06-05-2020 12:46 AM
- Posted Re: How to set up a summary index? on Knowledge Management. 08-20-2014 07:40 AM
- Posted Re: How to set up a summary index? on Knowledge Management. 08-19-2014 10:46 AM
- Posted Re: How to set up a summary index? on Knowledge Management. 08-19-2014 10:25 AM
- Posted Re: How to set up a summary index? on Knowledge Management. 08-19-2014 09:58 AM
- Posted Re: How to set up a summary index? on Knowledge Management. 08-19-2014 09:48 AM
Topics I've Started
Subject | Karma | Author | Latest Post |
---|---|---|---|
0 | |||
0 | |||
1 | |||
1 | |||
0 | |||
1 | |||
0 |
08-20-2014
07:40 AM
08/19/2014 06:00:00 -0600, search_name=404_logs, search_now=1408514400.000, info_min_time=1408428000.000, info_max_time=1408514400.000, info_search_time=1408514567.910, count=836
and
2014-08-19 05:59:44 W3SVC2....|utmccn=(direct)|utmcmd=(none);+RequestVerificationToken_Lw=;+ASP.NET_SessionId=...;+RSA=...;+.RequestVerificationToken=... - ... 404 0 2 1397 1014 249
(... replacing all the numbers, user agent, and keys that were too long to paste here)
... View more
08-19-2014
10:46 AM
Yes, the original summary index search produces a good timechart, and the stats view of it does show the count. Its just when I reference the original through index=summary source="404_logs", I just get a normal list of raw results and no count field. Also, no sc_status field, so I cannot rebuild a timechart with the results either. I also misread the results when I said making progress, I do NOT get a _time field with a 1hr time span, as far as I can tell now
... View more
08-19-2014
10:25 AM
Making progress! I do get the 1hr span time field now, but no count field, so that timechart isn't working
... View more
08-19-2014
09:58 AM
I don't have access at all, but I'm working with my system admin to get this. I'm not sure he will be able to find it, have any instruction I could give him?
... View more
08-19-2014
09:48 AM
That gets me a good place to start, and I should be able to do the backfill with no issues.
But now that I have set the time range to 1 day, I still cant find a way to search against this data.
... View more
08-19-2014
08:43 AM
I read all the splunk documentation for setting up a summary index, and I followed it as best I could, but I cant get results when I try to search against it.
My search: index="summary" search_name="404_logs"
but my search is not even listed in any indexes with index="summary*"
If I go to settings>knowledge>searches, reports, and alerts,
It shows my 404_logs search that I am trying to set up as a summary index, and it has 0 alerts. (it has been over 24 hours since I set it up)
In that search, it is configured as follows:
SEARCH: index="is_logs" source="mysite.com" sc_status = 404 DESCRIPTION: Summary Index of 404 errors Not accelerated SCHEDULE: -1y to now, basic, every day at midnight. ALERT: Condition - Always, alert mode - once per search, no throttling, 24 hour expiration, medium severity ALERT ACTIONS: All disabled SUMMARY INDEXING: Enabled, index - summary, add fields - blank
I'm not sure if I am trying to search against it improperly, or if it is not set up right. edit: My eventual goal is to be able to easily pull up a time chart of 404 errors within the last year, because without using summary indexing, the search takes over an hour to complete on the dashboard every time the page is loaded, and I need to use the 404 error data in other searches as well.
... View more
- Tags:
- summary-index
08-04-2014
09:43 AM
This is the first time I have got the built in one to give me any results! Thank you! Now my problem with it is that the count is not working, it shows 1 count for every IP now.
... View more
07-30-2014
10:49 AM
I need to be able to get useful data out of the following search:
index="logs" source="mywebsite" | stats dc(cs_username) as Users by c_ip | where Users > 4 | geoip c_ip
The search (in theory) should show me a location where a single IP address has more than 4 users. What I can't see is the actual IP address, and numbers in the circles don't make any sense, I would like the number to be how many users there are, and I would like to be able to click on, hover over, or have some way to easily see the IP address. As it stands, I have no way to see the IP address without doing a completely separate search without geoip
edit: Right now, if I do click on one of the results, it puts the search in a new window and adds _geo="43.6135,-116.2035" to the parameters, but it always gives me "No results found."
... View more
07-23-2014
07:47 AM
Thanks, this shows exactly what I was looking for! seems I was making it much harder than it had to be.
... View more
07-23-2014
07:46 AM
1 Karma
The null values made sense, but was not quite what I was looking for. The count by eventcode suggestion was good!
... View more
07-22-2014
11:12 AM
1 Karma
Looking for the best way to format a timechart or stats visualization of failed login account names by time. Right now I have:
index="activedirectory" EventCode=4740 | eval Account_Name=mvfilter(Account_Name!="-") | timechart span=1d count by Account_Name
This helps a little, but due to how rare it is for a lockout to occur here, there are way too many empty blocks of time where nothing occurs. How can I get a useful chart that shows easy to read data over a long range of time while still showing the exact day that the lockout occurred?
I also don't need to know the count of "how many failed logins per individual accounts", but I don't know how else to get a visual representation.
... View more
06-17-2014
08:54 AM
If I am doing it right, that lists just the number of agents used, instead of each individual agent? I was hoping to be able to sort exactly like this, except for showing the full text of each user agent, rather than just the number of how many. Sorry that I am using the comment for an entirely different question 😕
... View more
06-17-2014
08:42 AM
Thanks! That was way easier than everything I have been trying for the last hour... Would you also have any ideas on how I might sort these results based on how many user agents each IP has, without changing the format of the results? I thought something like | sort -mvcount(cs_User_Agent_) might work, but it does not.
... View more
06-17-2014
08:18 AM
1 Karma
I am trying to get a search result that shows a single IP associated with all of its user agents, but I would like the IP's sorted by the overall amount of hits rather than sorted by numerical order. I would also like to be able to see the count of hits in the end result as well. Thanks in advance!
My current search:
index="logs" source="mywebsite.com" | stats values(cs_User_Agent_) as cs_User_Agent_ by c_ip
Right now it results:
IP: 11.00.00.00
User Agent: 1. Mozilla/5.0...
2. Mozilaa/4.0...
IP: 22.00.00.00
User Agent: 1. Mozilla/5.0...
IP: 33.00.00.00
User Agent: 1. Mozilla/5.0...
2. Mozilaa/4.0...
3. Mozilla/5.0...
I am looking to get results like:
IP: 64.00.00.00 - Count: 13451
User Agent: 1. Mozilla/5.0...
2. Mozilaa/4.0...
IP: 109.00.00.00 - Count: 636
User Agent: 1. Mozilla/5.0...
IP: 72.00.00.00 - Count: 122
User Agent: 1. Mozilla/5.0...
2. Mozilaa/4.0...
3. Mozilla/5.0...
... View more
06-16-2014
08:01 AM
Thanks for the answer, so based on this, would you happen to know what it means when referers are as such:
https://mail.google.com/mail/
https://bay179.mail.live.com/default.aspx
... View more
06-13-2014
08:20 AM
My main goal right now is to see if there are users accessing our site through phishing sites or emails. We do not send any e-mails with links whatsoever, so I shouldn't see anyone referred through an email.
My (possibly uneducated) question is to clarify what exactly the Referer URL is giving me. If I was to pull a list of:
"... | top cs_Referer_"
I get results like "http://www.google.com/" with no search criteria, and also "google.com/MyWebsiteName/". Is it actually just the URL the user was on before they changed to ours, or is it actually based on clicking a link?
Given this info, what type of referer would I look for to see if they did click on a link in an email?
... View more
06-11-2014
09:44 AM
1 Karma
This is exactly what I needed, with a better method that I was trying before. Thank you!
... View more
06-11-2014
09:18 AM
1 Karma
I am looking to compare a list of non unique usernames with unique IP's, and specifically analyze the occurences where any users have logged in with multiple ips.
So far I have:
index="iis_logs" source="url.com" NOT cs_username="-" | table cs_username, c_ip | dedup c_ip
A given username can be all letters, all numbers, or a combination of both, so the "where cs_username > 1 doesn't seem to work.
I also do want to see the actual username, so a stats command that only shows how many ips a given user logged into doesnt work either.
... View more
06-06-2014
10:09 AM
Thank you! This is beautiful. Any ideas on how I might also compare each of these top IP's and show a readable list of how many / which user agents are associated, rather than just the single most common one?
... View more
06-05-2014
11:18 AM
I am trying to find a search command that will get me a list of my top 20 client ip addresses (c_ip) along with each given ip's top 1 user agent (cs_User_Agent_).
In laymans code: ... | top 20 c_ip each with top cs_User_Agent_
... View more