Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About Rithekakan
Rithekakan
Path Finder
Member since:
03-23-2015
10-18-2022
Community Statistics
| Posts | 21 |
| Solutions | 0 |
| Karma Given | 9 |
| Karma Received | 3 |
| Member Since | 03-23-2015 |
Activity Feed
- Got Karma for Re: How to create a new field using rex?. 10-19-2022 05:15 AM
- Posted Re: How to create a new field using rex? on Splunk Search. 10-18-2022 05:04 PM
- Posted How to create a new field using rex? on Splunk Search. 10-18-2022 10:16 AM
- Posted How to show only the maximum value and showing the condition base on that maximum? on Splunk Search. 08-03-2022 04:14 AM
- Karma Re: How to filter out one field events base on other field with two events? for richgalloway. 07-12-2022 03:12 AM
- Karma Re: How to filler a Field base on other two field? for gcusello. 07-10-2022 02:45 AM
- Posted How to filter out one field events base on other field with two events? on Splunk Search. 07-08-2022 08:57 AM
- Posted Re: How to filler a Field base on other two field? on Splunk Search. 07-08-2022 07:12 AM
- Posted Re: How to filler a Field base on other two field? on Splunk Search. 07-08-2022 06:04 AM
- Posted Re: How to filler a Field base on other two field? on Splunk Search. 07-08-2022 06:02 AM
- Posted Re: How to filler a Field base on other two field? on Splunk Search. 07-08-2022 06:00 AM
- Posted Re: How to filler a Field base on other two field? on Splunk Search. 07-08-2022 05:20 AM
- Posted How to filler a Field base on other two field? on Splunk Search. 07-08-2022 04:38 AM
- Posted Re: How to compare the values of field for Remediate VA Report "Fixed" "Active Vulnerability" and &q on Splunk Search. 06-29-2022 10:45 AM
- Tagged How to compare the values of field for Remediate VA Report "Fixed" "Active Vulnerability" and "New Active"? on Splunk Search. 06-29-2022 10:41 AM
- Posted How to compare the values of field for Remediate VA Report "Fixed" "Active Vulnerability" and "New Active"? on Splunk Search. 06-29-2022 10:39 AM
- Posted Re: How to find the time difference in days between the _time of an event and the current time? on Splunk Search. 06-27-2022 09:08 AM
- Karma Re: How to find the time difference in days between the _time of an event and the current time? for martin_mueller. 06-27-2022 09:06 AM
- Posted Re: How to search not equal with multivalued? on Splunk Search. 02-23-2022 05:35 AM
- Karma Re: How to search not equal with multivalued? for ITWhisperer. 02-23-2022 05:32 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
10-18-2022
05:04 PM
1 Karma
Hi richgalloway, I've update something in your regex and it work now. I appreciate you! | rex "Credentialed checks : (?<Credentialed_checks>..*)"
... View more
10-18-2022
10:16 AM
Hi Spelunker, I want to create a field "Credentialed checks:" with this field value. Please help.
regards,
Nessus version : 8.10.0 Nessus build : 20232 Plugin feed version : 202210171349 Scanner edition used : Nessus Scanner OS : LINUX Scanner distribution : es6-x86-64 Scan type : Normal Scan policy used : eb1cd575-c2d4-5be5-8010-1290128ec92e-23586099/01. PCI-INTERNAL-VA-SCAN Scanner IP : 10.6.6.51 Port scanner(s) : nessus_syn_scanner Port range : sc-default Ping RTT : Unavailable Thorough tests : no Experimental tests : no Plugin debugging enabled : no Paranoia level : 1 Report verbosity : 1 Safe checks : yes Optimize the test : yes Credentialed checks : no Patch management checks : None Display superseded patches : no (supersedence plugin launched) CGI scanning : disabled Web application tests : disabled Max hosts : 30 Max checks : 4 Recv timeout : 5 Backports : Detected Allow post-scan editing : Yes Scan Start Date : 2022/10/18 19:50 +07 Scan duration : 561 sec"
........................................................................................................
Nessus version : 8.10.0 Nessus build : 20232 Plugin feed version : 202210171349 Scanner edition used : Nessus Scanner OS : LINUX Scanner distribution : es6-x86-64 Scan type : Normal Scan policy used : eb1cd575-c2d4-5be5-8010-1290128ec92e-23586099/01. PCI-INTERNAL-VA-SCAN Scanner IP : 10.6.6.51 Port scanner(s) : netstat Port range : sc-default Ping RTT : Unavailable Thorough tests : no Experimental tests : no Plugin debugging enabled : no Paranoia level : 1 Report verbosity : 1 Safe checks : yes Optimize the test : yes Credentialed checks : yes, as 'isdscan' via ssh Attempt Least Privilege : no Patch management checks : None Display superseded patches : no (supersedence plugin launched) CGI scanning : disabled Web application tests : disabled Max hosts : 30 Max checks : 4 Recv timeout : 5 Backports : Detected Allow post-scan editing : Yes Scan Start Date : 2022/10/18 19:51 +07 Scan duration : 2483 sec"
... View more
Labels
- Labels:
-
field extraction
-
rex
08-03-2022
04:14 AM
Hi every one, I want a report which showing only the maximum value (days_since) and show the condition base on the maximum value (Pending_since). I would be appreciated for your help. This is my search indix=............... ................... | eval days_since = floor((now() - _time) / 86400) | eval Pending_since = case(days_since == 0, "Today", days_since < 30, "Pending (< 30 days)", days_since > 45, "Pending ( > 45 days)", days_since > 30, "Pending ( 30>Days<45 )", days_since < 45, "Pending ( 30>Days<45 )", days_since > 1, days_since . " Days")
... View more
07-08-2022
08:57 AM
Hi All, I have this report
My requirement is only show in table those event that do not have the Plugin Name = "TLS Version 1.1 Protocol Deprecated" with the Port= 8443 OR =8444 as I have fill color with yellow. But, still keep show the event that have Plugin Name = "TLS Version 1.1 Protocol Deprecated " with other Port exclude Port 8443 OR 8444. I am using below search
and the result show only Plugin Name = "TLS Version 1.1 Protocol Deprecated " with other port exclude Port 8443 OR 8444. I want a result show all Plugin Name...... exclude Plugin Name = "TLS Version 1.1 Protocol Deprecated" that have Port= 8443 OR =8444 Any suggestions?
... View more
- Tags:
- events
- splunk-search
07-08-2022
07:12 AM
@gcusello Yes exactly, I use it. This is my full search.. host="SPL-SH-DC" sourcetype="ABCSW" NOT Severity IN (Info,Low) NOT Port IN (6502,8089,8001) NOT "Plugin Name" IN ("SSL Certificate with Wrong Hostname","SSL Self-Signed Certificate","SSL Certificate Cannot Be Trusted") | lookup ABCDEFGServerInventory.csv IP_Address as "IP Address" output Host_Name, System_Type | eval days_since = floor((now() - _time) / 86400) | eval Pending_since = case(days_since == 0, "Today", days_since < 30, "Pending (< 30 days)", days_since > 45, "Pending ( > 45 days)", days_since > 30, "Pending ( 30>Days<45 )", days_since < 45, "Pending ( 30>Days<45 )", days_since > 1, days_since . " Days") | stats values(*) as * by "IP Address",Plugin,"Plugin Name",Severity,Protocol,Port,Exploit | eval status = case(mvcount(source)>1,"Pending", source=="ABCDEFGSW26062022.csv","Fixed", true(), "New Vulnerable") | search "IP Address" IN ("1........,...................................") "Plugin Name" != "OpenSSH S/KEY Authentication Account Enumeration" "Plugin Name" != "OPIE w/ OpenSSH Account Enumeration" "Plugin Name" != "OpenSSH >= 2.3.0 AllowTcpForwarding Port Bouncing" "Plugin Name" != "OpenSSH PCI Disputed Vulnerabilities." "Plugin Name" != "TLS Version 1.1 Protocol Deprecated" (Port ="8443" OR Port="8444") | table "IP Address",Host_Name,"Plugin Name",Severity,Protocol,Port,Exploit,System_Type,Synopsis,Description,Solution,"See Also","CVSS V2 Base Score",CVE,Plugin,status,Pending_since,source
... View more
07-08-2022
06:04 AM
Hi @gcusello yes Port=8443 OR port 8444 Yes I 've been using your search, but I don't know why it also filter out other value of the Filed " Plugin Name" I am still get stuck and keep modifying the conditions. Thanks for your help @gcusello Regards,
... View more
07-08-2022
06:02 AM
@gcusello sorry, Port=8443 OR port 8444 is correct.
... View more
07-08-2022
06:00 AM
Hi @gcusello yes Port=8443 AND port 8444 Yes I 've been using your search, but I don't know why it also filter out other value of the Filed " Plugin Name" I am still get stuck and keep modifying the conditions. Thanks for your help @gcusello Regards,
... View more
07-08-2022
05:20 AM
Hi gcusello, I have this report, and I want to filter out Plugin Name = TLS Version 1.1 Protocol Deprecated with Port = 8443 and 8444. Thanks for your help, Rithekakan
... View more
07-08-2022
04:38 AM
host="SPL-SH-DC" sourcetype="ABCSW"......| search "Plugin Name" != "TLS Version 1.1 Protocol Deprecated" AND Port != "8443" AND Port != "8444" | table "IP Address",Host_Name,"Plugin Name",Severity,Protocol,Port,Exploit,System_Type,Synopsis,Description,Solution,"See Also","CVSS V2 Base Score",CVE,Plugin,status,Pending_since,source Hi Splunker, Could you please help.. I have a query as I have put above . However, I want a result query with filter Field " Plugin Name " not equal "TLS Version 1.1 Protocol Deprecated" but base on Field "Port" equal "8443" and " 8444". I will be appreciate for your help.
... View more
06-29-2022
10:45 AM
I have already try with these but it's result if not correct ... host="SPL-SH-DC" sourcetype="****" | stats values(*) as * by IP_Address,Plugin,Plugin_Name,Severity,Protocol,Port,Exploit | eval status = case(mvcount(source)>1,"Pending", source==1,"New", true(), "Fixed") | table IP_Address,device,Plugin_Name,Severity,Protocol,Port,Exploit,Synopsis,Description,Solution,See_Also,CVSS_V2_Base_Score,CVE,Plugin,status,Pending_since,source
... View more
06-29-2022
10:39 AM
I have a result of Vulneraries Scan of Quater1, Quater2 , Quarter3 and the remediate scan result of each Quarter ... all are add to Splunk by upload as csv file.
After added I got these: host="SPL-SH-DC" sourcetype="****" source="*****.CSV" and field IP_Address,Plugin_Name,Severity,Protocol,Port,Exploit,Synopsis,Description,Solution,See_Also,CVSS_V2_Base_Score,CVE,Plugin
I want a reports with these three status " New Active Vulnerabilities", "Fixed" and "Active Vulnerabilities" base on joining with these 7 fields: IP_Address, Plugin, Plugin_Name, Severity, Protocol, Port, Exploit
I will be apricated for your contribution.
Ritheka kan
... View more
06-27-2022
09:08 AM
Thanks martin_mueller. That also what I want.
... View more
02-23-2022
05:35 AM
Hi ITWhisperer, I got it now. Thanks for your help. Regards, Rithekakan
... View more
02-22-2022
11:49 PM
The search result is correct. How ever I am looking for a short way writing not equal for the same fields and different values. Plugin_Name!="A" Plugin_Name!="B" Plugin_Name!="C" Plugin_Name!="D" I've tried this but it not working. Plugin_Name !IN (A,B,C,D) Regards, Rithekakan
... View more
02-22-2022
06:47 AM
host="SPL-SH-DC" sourcetype="csv" source="****" Severity!="Info" Severity!="low" Plugin_Name!="SSL Certificate with Wrong Hostname" Plugin_Name!="Unix Operating System Unsupported Version Detection" Plugin_Name!="SSL Self-Signed Certificate" Plugin_Name!="SSL Certificate Cannot Be Trusted" Port!="8089" Port!="6502" | table IP_Address,device_name,Plugin_Name, Severity,model, Protocol, Port, Exploit, Synopsis, Description, Solution, See_Also, CVSS_V2_Base_Score, CVE,Plugin Thanks for your help!
... View more
02-21-2022
07:17 AM
1 Karma
Hi yuanliu, I got it now. Thanks for your solution. Regards, Ritheka Kan
... View more
02-19-2022
09:09 PM
Hi yuanliu , I 've reply to accept your query in the previous time. It is 100% correct. How ever the management needs two more fields (device, model) which it is lookup from the CVS inventory file. and the report is something look like this. | table IP_Address, device, Plugin_Name, Plugin, Severity, model, Protocol, Port, Exploit, Synopsis, Description, Solution, See_Also, CVSS_V2_Base_Score, CVE, Could you pls help me edit your query you've provided to make it work with the lookup CSV file. I have this lookup fils. | lookup ABLNInventory.csv ip_address as IP_Address output device, model | table IP_Address, device, Plugin_Name, Severity, model, Protocol, Port, Exploit, Synopsis, Description, Solution, See_Also, CVSS_V2_Base_Score, CVE, Plugin I will appreciate for your help. Best regards, Ritheka Kan
... View more
02-19-2022
08:51 PM
Hi PickleRick, Thanks for your query, It help me for my report, but something is missing. I want a report with these fields. | table IP_Address, device, Plugin_Name, Severity, model, Protocol, Port, Exploit, Synopsis, Description, Solution, See_Also, CVSS_V2_Base_Score, CVE,Plugin with join only 6 fields in the | stats sum " IP_Address,Plugin_Name,Plugin,Severity,Protocol,Port. " | stats sum(picker) as..... How eve if I add all 13 fields in the | stats sum(picker)as ..........It provide the uncorrected report becuse of some fields have duplicate data. Note: There are two even (device and model) are lookup from other Inventory CSV file. Could you pls help with this reequipment? I will be appreciate for your help. Regards, Ritheka Kan
... View more
02-11-2022
03:21 PM
1 Karma
Hi yuanliu , I appreciate your helpful Splunk query. It is 100% correct and fit my query. Thanks for your help. Regards, Rithekakan
... View more
02-10-2022
08:52 AM
I have reports Quarter1.csv and Quarter2.csv. after I upload these two csv report I got
host="***" source="****" sourcetype="***" and those fields IP_Address,Plugin_Name,Severity,Protocol,Port,Exploit,Synopsis,Description,Solution,See_Also,CVSS_V2_Base_Score,CVE,Plugin.
I want 3 reports base on joining with these 6 files:
IP_Address, Plugin_Name, Severity, Protocol, Port, Exploit,
| table IP_Address,Plugin_Name,Severity,Protocol,Port,Exploit,Synopsis,Description,Solution,See_Also,CVSS_V2_Base_Score,CVE,Plugin, status
First report: - if the event are in Quarter1.csv and Quarter2.csv. show status as "Active Vulnerability"
Second report:- if the event are in Quarter1.csv but not in Quarter2.csv. show status as "Fixed"
Third report:- if the event are not in Quarter1.csv but there are in Quarter2.csv. show status as "New Active Vulnerability"
... View more
Labels
- Labels:
-
other
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
10-18-2022
08:50 PM
|
Karma given to
