Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About phillipmadm
phillipmadm
Explorer
Member since:
12-05-2016
09-29-2020
Community Statistics
| Posts | 9 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 1 |
| Member Since | 12-05-2016 |
Activity Feed
- Got Karma for Re: Search Chain. 06-05-2020 12:48 AM
- Posted Re: Is there an easy way to redirect existing universal forwarders to a new Splunk deployment? on Getting Data In. 09-18-2017 10:30 AM
- Posted Re: Is there an easy way to redirect existing universal forwarders to a new Splunk deployment? on Getting Data In. 09-18-2017 10:19 AM
- Posted Re: Is there an easy way to redirect existing universal forwarders to a new Splunk deployment? on Getting Data In. 09-18-2017 10:12 AM
- Posted Is there an easy way to redirect existing universal forwarders to a new Splunk deployment? on Getting Data In. 09-15-2017 12:43 PM
- Tagged Is there an easy way to redirect existing universal forwarders to a new Splunk deployment? on Getting Data In. 09-15-2017 12:43 PM
- Tagged Is there an easy way to redirect existing universal forwarders to a new Splunk deployment? on Getting Data In. 09-15-2017 12:43 PM
- Posted Re: Multiple Timestamp Aggregation in Reports: How to have a single report for a user with the timestamp for each login/logout session? on Splunk Search. 06-15-2017 11:05 AM
- Posted Re: Search Chain on Splunk Search. 05-10-2017 05:55 AM
- Posted Search Chain on Splunk Search. 05-09-2017 01:04 PM
- Tagged Search Chain on Splunk Search. 05-09-2017 01:04 PM
- Posted Re: Multiple Timestamp Aggregation in Reports: How to have a single report for a user with the timestamp for each login/logout session? on Splunk Search. 03-14-2017 10:45 AM
- Posted Multiple Timestamp Aggregation in Reports: How to have a single report for a user with the timestamp for each login/logout session? on Splunk Search. 03-13-2017 09:55 AM
- Tagged Multiple Timestamp Aggregation in Reports: How to have a single report for a user with the timestamp for each login/logout session? on Splunk Search. 03-13-2017 09:55 AM
- Tagged Multiple Timestamp Aggregation in Reports: How to have a single report for a user with the timestamp for each login/logout session? on Splunk Search. 03-13-2017 09:55 AM
- Tagged Multiple Timestamp Aggregation in Reports: How to have a single report for a user with the timestamp for each login/logout session? on Splunk Search. 03-13-2017 09:55 AM
- Tagged Multiple Timestamp Aggregation in Reports: How to have a single report for a user with the timestamp for each login/logout session? on Splunk Search. 03-13-2017 09:55 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 |
09-18-2017
10:30 AM
I wish but the Network guys would go nuts. New physical datacenter with a separate IP range.
... View more
09-18-2017
10:19 AM
We are currently using a deployment server that is replicated to a new datacenter. We can standup the replicated server with a unique address but I do not see in the referenced link where we can point existing machines to the IP. A script to update the deploymentclient.conf is valid but writing one that parses out the various operating systems in our environment is challenging with the current staffing levels. Manual seems to be the way to go.
... View more
09-18-2017
10:12 AM
Our environment is Windows, RedHat and Solaris so not the easy solution I was looking for.
:)
... View more
09-15-2017
12:43 PM
We are migrating datacenters and the current virtual deployment server has been replicated to the new facility. I can bring it up, change the IP and hostname but is there a central way to redirect existing universal forwards to the newly IP'ed deployment server? Most suggestions I've seen online are outdated and end up saying do it manually anyway.
... View more
06-15-2017
11:05 AM
Good to go 🙂
... View more
05-09-2017
01:04 PM
Hopefully this is an easy one.
We have an alert setup that notifies us if a specific error occurs more than 30 times in 1 minute. It works and gives us a nice little report of the hit count. Since this report is a mass disconnect alert, it was based on the quantity of termination messages. We now need to notify the users associated with the mass disconnect. Username field is available in the source messages but I'm having an issue chaining the logic together.
Base alert below.
index=security source="application.log" application_message=termination| bucket _time span=1m | stats count by _time | WHERE count > 30
... View more
- Tags:
- search
03-14-2017
10:45 AM
Examples are below but the goal is to be able to report (per user) login time, logout time, session duration over multiple days. 🙂
LOGIN, LOGOUT, User, SessionId, Duration....are all extracted fields
Thank you
Example of a login event
Mar 10 18:35:35 03/10/2017: 18:34:57 ns 0-PPE-0 : SSLVPN LOGIN 17573462 0 : Context JoeSmith@x.x.x.x - SessionId: 43717- User JoeSmith - Client_ip x.x.x.x - Nat_ip "Mapped Ip" - Vserver x.x.x.x:443 - Browser_type "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.1439" - SSLVPN_client_type - Group(s) "N/A"
Example of a logout event
Mar 10 18:50:30 03/10/2017: 18:49:52 ns 0-PPE-0 : SSLVPN LOGOUT 17576185 0 : Context JoeSmith@x.x.x.x - SessionId: 43717- User JoeSmith - Client_ip x.x.x.x - Nat_ip "Mapped Ip" - Vserver x.x.x.x:443 - Start_time "03/10/2017:18:34:57 " - End_time "03/10/2017:18:49:52 " - Duration 00:14:55 - Http_resources_accessed 23 - NonHttp_services_accessed 0 - Total_TCP_connections 74 - Total_UDP_flows 0 - Total_policies_allowed 74 - Total_policies_denied 0 - Total_bytes_send 2170 - Total_bytes_recv 417916 - Total_compressedbytes_send 0 - Total_compressedbytes_recv 159514 - Compression_ratio_send 0.00% - Compression_ratio_recv 61.83% - LogoutMethod "Explicit" - Group(s) "N/A"
... View more
03-13-2017
09:55 AM
We are logging information from a network security device that has multiple fields of interest. LOGIN, LOGOUT, START, and DISCONNECT messages all have unique time stamps and messages associated with a user (but a unique id with each session). How can I have a single report for a user with the timestamp for LOGIN, LOGOUT per each session?
... View more
