Getting this error:
Error in 'eval' command: The expression is malformed. Expected ).
I'm following the following tutorial:
Everything was going fine until I got to the part of the search where I had to add the eval case statement color parameters. Can someone tell me where I'm going wrong? Thanks!
sourcetype="test" severity="critical" | iplocation src prefix=start_ | iplocation dest prefix=end_ | search start_Country="*" end_Country="*" | table start_lat start_lon end_lat end_lon app | eval animate="yes", pulse_at_start="yes" | eval color = case (
match(app, "ssh"), "#c0392b"
match(app, "web-browsing"), "#e67e22",
match(app, "unknown-tcp"), "#f1c40f",
match(app, "webdav"), "#27ae60",
It doesn't look like I'm missing anything..but then again..Its always better with another set of eyes:)
... View more
I'm trying to create a search that includes some regex. Ultimately, I'm trying to parse out some information (filename and file hash) from the raw event and show that information in a separate fields on a table. The other fields not mentioned are already parsed out by default; I just need the filename and file hash information to be parsed out as well. When I perform the below search, nothing shows up in the two new fields I created (fname, fileHash).
Could someone help me with my search?
index=antivirus CLF_ReasonCode="virus log" VLF_SecondActionResult="File passed" | rex field=_raw "fileHash= <(?<fileHash>.*)> fname= <(?<fname>.*)>" | table _time cef_name VLF_SecondActionResult fname fileHash
Dec 24 11:39:47 test.test.com Dec 24 2018 11:39:47 testy-test001.test.test.com CEF:0|Test Test|Control Manager|0.0SP3|AV:File quarantined|Trojan.W77M.POWLOAD.SMNM2|3|deviceExternalId=000 rt=Dec 24 2018 13:51:23 GMT+00:00 cntLabel=AggregatedCount cnt=1 dhost=TEST000 act=File quarantined cn1Label=VLF_PatternNumber cn1=0000000 cn2Label=VLF_SecondAction cn2=1 cs1Label=VLF_FunctionCode cs1=Real-time Scan cs2Label=VLF_EngineVersion cs2=0.000.0000 cs3Label=CLF_ProductVersion cs3=0.0 cs4Label=CLF_ReasonCode cs4=virus log cs5Label=VLF_FirstActionResult cs5=File quarantined cs6Label=VLF_SecondActionResult cs6=N/A cat=000 dvchost=TEST-TEST cn3Label=CLF_ServerityCode cn3=2 fname=test.doc filePath=C:\\Users\\u000000\\Downloads\\ dst=255.255.2.255 fileHash=dddd0c5df90e20af01f7ad1e73ea17777d87777b deviceFacility=ExecScan
I used these guides as references:
... View more
I use Splunk at work and I've just downloaded Splunk Light to my personal server to test and learn. I've recently realized that there have been attempts to log in to my personal server via SSH as root. I've already added the authentication logs to Splunk Light but I'm having issues making the data usable.
source="/var/log/auth.log" host="samplehost" sourcetype="authentication" user!=null | table _time, rhost, user
this search returns results like
Please see attached image.
How do I make it where the duplicate or same rhost shows up only once and their count increases? For example, if the 116. address hits my server 10 times, I'd like to have the IP show only once and a field for count that shows the count of 10.
Thanks in advance.
... View more