Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About tpowell12
tpowell12
Explorer
Member since:
07-25-2012
10-18-2021
Community Statistics
| Posts | 8 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 1 |
| Member Since | 07-25-2012 |
Activity Feed
- Got Karma for Alert when a threshold is met consistently at certain intervals within a time frame. 06-05-2020 12:47 AM
- Posted Alert when a threshold is met consistently at certain intervals within a time frame on Splunk Search. 08-06-2014 12:21 PM
- Tagged Alert when a threshold is met consistently at certain intervals within a time frame on Splunk Search. 08-06-2014 12:21 PM
- Tagged Alert when a threshold is met consistently at certain intervals within a time frame on Splunk Search. 08-06-2014 12:21 PM
- Tagged Alert when a threshold is met consistently at certain intervals within a time frame on Splunk Search. 08-06-2014 12:21 PM
- Tagged Alert when a threshold is met consistently at certain intervals within a time frame on Splunk Search. 08-06-2014 12:21 PM
- Posted Re: Applying correct sourcetypes to Windows event logs on Getting Data In. 05-23-2013 01:06 PM
- Posted Applying correct sourcetypes to Windows event logs on Getting Data In. 05-23-2013 12:11 PM
- Tagged Applying correct sourcetypes to Windows event logs on Getting Data In. 05-23-2013 12:11 PM
- Tagged Applying correct sourcetypes to Windows event logs on Getting Data In. 05-23-2013 12:11 PM
- Tagged Applying correct sourcetypes to Windows event logs on Getting Data In. 05-23-2013 12:11 PM
- Tagged Applying correct sourcetypes to Windows event logs on Getting Data In. 05-23-2013 12:11 PM
- Tagged Applying correct sourcetypes to Windows event logs on Getting Data In. 05-23-2013 12:11 PM
- Posted Re: Regex for Windows username null values on Splunk Search. 09-19-2012 01:58 PM
- Posted Re: Regex for Windows username null values on Splunk Search. 09-19-2012 01:57 PM
- Posted Regex for Windows username null values on Splunk Search. 09-19-2012 11:20 AM
- Tagged Regex for Windows username null values on Splunk Search. 09-19-2012 11:20 AM
- Posted Re: Creating a column for each field in a count on Splunk Search. 07-25-2012 12:50 PM
- Posted Creating a column for each field in a count on Splunk Search. 07-25-2012 11:44 AM
- Tagged Creating a column for each field in a count on Splunk Search. 07-25-2012 11:44 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 1 | |||
| 0 | |||
| 0 | |||
| 0 |
08-06-2014
12:21 PM
1 Karma
I'm having trouble building an alert. I want to get alerted, if during a 4 hour window, an IP has more than 5 blocks at our proxy every 5 minutes for the entire 4 hours. At any point within the 4 hour frame, if the hit count drops below 5 in 5 minutes, I don't want to be alerted.
The search belows gives me the hit count by IP in 5 minute blocks but I'm not sure how to get alerted if a unique IP constantly has 5 hits every 5 minutes throughout the 4 hours.
host="proxy1" status="blocked" | timechart span=5m count by IP
... View more
05-23-2013
01:06 PM
No, nothing was set on the forwarders to specify a sourcetype and nothing was defined in transforms.conf. On the indexer in inputs.conf, it's set to sourcetype=tcp-raw for each source and also all of the WinEventLog options are disabled.
... View more
05-23-2013
12:11 PM
We have the event logs of many Windows servers getting indexed via universal forwarders into a number of different index names. The data inputs for each of these sources were originally configured using the default tcp-raw sourcetype because we also have other OSes and devices forwarding data to the same indexes. Now, I would like all of the Windows machines to have WinEventLog:Security, WinEventLog:Application, and WinEventLog:System sourcetypes applied instead of tcp-raw to take advantage of some of the Windows apps. What would be the best way to go about this?
... View more
09-19-2012
01:58 PM
props.conf
[tcp-raw]
REPORT-extract_names = extract_username, extract_accountname
transforms.conf
[extract_username]
- extracts the user name field in Windows security logs
REGEX = (?ms)^\s+User Name:\s+([^\s]+|)\r
FORMAT = user_name::$1
[extract_accountname]
- extracts the account name field in Windows security logs
REGEX = (?ms)Account For Which Logon Failed.+?Account Name:\s+(\V+)
FORMAT = account_name::$1
... View more
09-19-2012
01:57 PM
It works with the \r at the end in an editor like gskinner.com/regexr. In Splunk, I have two extractions for one sourcetype. One for the username that you helped with and another for account names. The problem I have now is when I add the \r to regex in transforms.conf, the username is no longer extracted, only the account name. I must be missing something.
... View more
09-19-2012
11:20 AM
I have a Windows event below. This regex, (?ms)^\s+User Name:\s+(? \S+), is used to extract the value from the User Name field which works great when there's a username available. Otherwise, in the event below when the User Name is blank, the regex picks up "Domain:" as the username. I'm trying to figure out what to add in the regex to prevent a value from being extracted if the User Name field is null.
09/06/2012 08:54:52 AM
LogName=Security
SourceName=Security
EventCode=529
EventType=16
Type=Failure Audit
ComputerName=TESTSYSTEM
User=SYSTEM
Sid=S-1-5-18
SidType=1
Category=2
CategoryString=Logon/Logoff
RecordNumber=50947147
Message=Logon Failure:
Reason: Unknown user name or bad password
User Name:
Domain:
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name:
... View more
- Tags:
- regex
07-25-2012
12:50 PM
Thanks for the quick response. Yeah, that solves it. Now from here, can I alias each of the EventCodes in the chart with something that I can understand rather than having the code number displayed?
... View more
07-25-2012
11:44 AM
I have a search for failed login attempts and am running a count based on EventCodes per host.
("EventCode=4625" OR "EventCode=529" OR "EventCode=530" OR "EventCode=531" OR "EventCode=532" OR "EventCode=533" OR "EventCode=534" OR "EventCode=535" OR "EventCode=536" OR "EventCode=537" OR "EventCode=539") | stats count by host, EventCode
host EventCode count
host1 4625 3
host1 529 6
host2 529 3
host3 529 6
host3 4625 1
Instead of listing each host multiple times for each EventCode, how can I have the host listed once with each EventCode in its own column as I have below.
host 529 4625
host1 6 3
host2 3
host3 6 1
... View more
