Activity Feed
- Karma Re: Updating Timestamp in a Lookup Table for jawaharas. 06-05-2020 12:50 AM
- Karma Re: Return Timestamp from inner and outter search for nareshinsvu. 06-05-2020 12:50 AM
- Posted Re: Return Timestamp from inner and outter search on Splunk Search. 08-20-2019 08:16 PM
- Posted Re: Return Timestamp from inner and outter search on Splunk Search. 08-20-2019 06:29 PM
- Posted Return Timestamp from inner and outter search on Splunk Search. 08-20-2019 05:27 PM
- Tagged Return Timestamp from inner and outter search on Splunk Search. 08-20-2019 05:27 PM
- Tagged Return Timestamp from inner and outter search on Splunk Search. 08-20-2019 05:27 PM
- Tagged Return Timestamp from inner and outter search on Splunk Search. 08-20-2019 05:27 PM
- Tagged Return Timestamp from inner and outter search on Splunk Search. 08-20-2019 05:27 PM
- Posted Re: Does Value Exist in KV Store on Splunk Enterprise Security. 08-14-2019 05:51 PM
- Posted Does Value Exist in KV Store on Splunk Enterprise Security. 08-14-2019 05:20 PM
- Tagged Does Value Exist in KV Store on Splunk Enterprise Security. 08-14-2019 05:20 PM
- Tagged Does Value Exist in KV Store on Splunk Enterprise Security. 08-14-2019 05:20 PM
- Tagged Does Value Exist in KV Store on Splunk Enterprise Security. 08-14-2019 05:20 PM
- Tagged Does Value Exist in KV Store on Splunk Enterprise Security. 08-14-2019 05:20 PM
- Tagged Does Value Exist in KV Store on Splunk Enterprise Security. 08-14-2019 05:20 PM
- Posted Updating Timestamp in a Lookup Table on Splunk Enterprise Security. 08-13-2019 06:30 PM
- Tagged Updating Timestamp in a Lookup Table on Splunk Enterprise Security. 08-13-2019 06:30 PM
- Tagged Updating Timestamp in a Lookup Table on Splunk Enterprise Security. 08-13-2019 06:30 PM
- Tagged Updating Timestamp in a Lookup Table on Splunk Enterprise Security. 08-13-2019 06:30 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 |
08-20-2019
08:16 PM
Thanks. Not quite working yet, but I think you have pointed me down the right track.
Thanks.
... View more
08-20-2019
06:29 PM
Hi @nareshinsvu
Thanks for your answer.
I need to match the ComputerName from the subsearch and then use the time from the subsearch to find other events in the same time period.
In the example, I want to find all successful logins over the last week that occur within 10min of a failed login on the same computer.
Thanks.
... View more
08-20-2019
05:27 PM
Hi,
I am trying to create a search that finds two sequential events. So far I have:
index=wineventlog EventCode=4624 [ search index=wineventlog EventCode=4625 | eval earliest=_time | eval latest=_time+600 | fields earliest latest ComputerName ]
This works and returns successful windows logins that follow a failed login within a 10min period. What I want to do though is return a table that shows the time that the first event occurred and the time that the second triggering event occurred. I tried appending:
| table ComputerName earliest _time
But the earliest field comes back blank when I want that to be showing the time stamp fo the event that matched the subsearch.
Any help would be appreciated. Thanks.
... View more
08-14-2019
05:51 PM
I have a data model running where one of the extracted fields is 'host'.
I am wanting to add another field to the datamodel which is an Eval Expression. I want the eval to check the list of server names in the KVStore for a match of the 'host' field.
As a result I can query the datamodel in other searches by doing:
WHERE datamodel.server.critical=true
... View more
08-14-2019
05:20 PM
Hi All,
Sorry, this might be an obvious one but I'm having trouble finding information on this specific problem.
I have a KV store named 'critical-servers' which contains a list of host name. In my data model I want to create a boolean value 'critical' which is assigned a value of True if the host who produced the event exists in the kvstore.
I seem to only be able to find examples of extracting values from the KVStore and not seeing if a value exists in the list.
Thanks in advance.
S.
... View more
08-13-2019
06:30 PM
Hi,
Trying to build a use case which looks at user logins and stores the Count, Earliest and Lastest times on a per user, per server basis. Eventually we want it to alert when a user logs in to a server for the first time.
Currently trying to do it through a lookup table that is appended every hour. The lookup table is created with the following:
| tstats summariesonly=true max(_time),min(_time), count from datamodel=WindowsEvents where EventID.EventCode=4624 NOT EventID.Logon_GUID="{00000000-0000-0000-0000-000000000000}" by host, EventID.Account_Name | outputlookup server_logins.csv
And then the alert is setup with the following query:
| inputlookup server_logins.csv | rename min(_time) as ftime | eval days_ago=((now()-ftime)/86400) | fields host, EventID.Account_Name, ftime, days_ago | where days_ago < 1
Can someone please advise me on the best way to append the lookup table with a new count and "latest" (or in this case max(_time)) if the record for the user/server already exists?
Ideally I would just like the user table to be appended every hour while storing the data of a years worth of logins.
Thanks in advance.
S.
... View more
