About epw0rrell

epw0rrell · ‎09-14-2021

Hello, I currently have a search over index_A that runs a sub-search from index_B looking to match a field (field_B) from index_B to any log within index_A. The search works great but the only frustration is not knowing what field value that field_B held as all of the tabled results come from index_A. Is there a way I can join that matched field_B to the results at the end of the search? Here is my current search and thanks for anyone that has the time to help me with this! index=index_A [search index=index_B | fields field_B | rename field_B as query] | table field_A field_A1 field_A2 field_A3

epw0rrell · ‎03-19-2021

Work perfect thanks!!

epw0rrell · ‎03-18-2021

Thanks, that is definitely the answer to that question but now looking at the results, I see that I need to be more specific and only display transactions where a certain field has more than one "event" value if that makes sense? Thanks for your help and is there a way I can do this?

epw0rrell · ‎03-18-2021

I am interested in only listing transactions of a given source entity that contain multiple events. Is there a quick and easy way to do this? index=main | transaction src_entity startswith=at least one thing endswith=another thing | table src dst etc.

epw0rrell · ‎01-21-2021

Thanks that worked great. If I could ask a follow on to this, would there be a way to include the query string that hit on the sessions displayed? I output the results to a lookup file thinking I could append the "query" column to the results (query shown below) but that just added all the domains used in the query to the lookup file. | inputlookup emailHITS.csv | appendcols [search index=security | fields domain | rename domain as query] | table _time query subject url fromEmail fromIP fromMX

epw0rrell · ‎01-15-2021

I have email logs within index=Email and suspicious domain connections within index=Security. The field name within Security = domain (values look like "website.com") The field of interest in Email = URL (values look like https://www.corp.website.com/page1/page2/etc:443) I need to search index=Email and do a sub-search within index=Security and only return results if domain is contained within URL. I tried things like: index=Email [search index=Security | where like(URL, "%"."domain"."%")] Anyone that can help me you will make my week! Thanks for your time.

epw0rrell · ‎12-10-2020

Unfortunately there is only a URL field within the logs. Unless I can use a clever field extraction on the URL, I would need to go about it from this direction.

epw0rrell · ‎12-10-2020

I have one index of alerts containing a field named "alertDomain" with values like "domain.com." I have a lookup table with urls sent within emails with values like http://www.domain.com/otherplaces I would like to run a search like this: index=alerts | lookup emailURLs.csv emailURL as alertDomain OUTPUT emailURL as phishingURL | table phishingURL but I know this won't work because the fields will not match. I need to OUTPUT the emailURL if it simply contains the value within alertDomain. Is this a bit better?

epw0rrell · ‎12-10-2020

I know how to use eval and if statements to pull fields that contain a %.value.% but how can I use this when running a search | lookup and output fields that contain a value of a field within the search? Let me know if you need an example search or more context. Thanks to anyone that can help me with this.

epw0rrell · ‎09-25-2020

ITWhisperer, You are the best! It now works perfectly and I wish I could show you. Thank you so very much!!

epw0rrell · ‎09-25-2020

Thanks for your quick feedback. I placed the code within the first dashboard and it seems to not break anything. However, I am getting an error "waiting for input within dashboard 2. Where exactly would the "tok_start" and "tok_end" go within the dashboard. I tried applying them to: <earliest>$tok_start.earliest$</earliest> <latest>$tok_end.latest$</latest> I also tried applying them to the fieldset portion of the Dashboard but it did not work then either.

epw0rrell · ‎09-24-2020

Hello, I am interested in making the results of one index search (in particular the values of fields early and late) used in a different index search as values assigned to earliest latest. index="a" <find a specific event> | eval timeTOsecs=strftime(_time, "%s") | eval early_time= timeTOsecs-300 | eval late_time= timeTOsecs+300 | eval early=strftime(early_time, "%m/%d/%Y:%H:%M:%S") | eval late=strftime(late_time, "%m/%d/%Y:%H:%M:%S") My next search would search for all events using the early and late values of the previous search and assign them to earliest latest. index="b" earliest=early latest=late Everything I have tried up to this point seems to point to "earliest" and "latest" modifiers will not allow you to assign a field value to them. Essentially I want to perform the function that Splunk automates through its UI when it lets the user run a search on events before and after a given time. Thanks for anyone that can help me and let me know if I can be clearer in explaining because sometimes it is hard to understand other people's context.

Posts	12
Solutions	0
Karma Given	6
Karma Received	0
Member Since	‎09-24-2020

Online Status	Offline
Date Last Visited	‎09-23-2021 01:38 PM

Join matching field of a Sub-Search

Only Listing Transactions with Multiple Events

How to table results only if field value within in...

How to output from lookup table if a field value i...

Assigning a field value to "Earliest" "Latest" tim...

Join matching field of a Sub-Search

Re: Only Listing Transactions with Multiple Events