Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About Splunkin
Splunkin
Explorer
Member since:
03-14-2021
12-15-2023
Community Statistics
| Posts | 6 |
| Solutions | 0 |
| Karma Given | 1 |
| Karma Received | 0 |
| Member Since | 03-14-2021 |
Activity Feed
- Posted Re: 0365 splunk addon data comes after delay of 1 day? on Alerting. 12-15-2023 02:28 AM
- Posted Re: [Lookup] Unable to filter/display out data from modify lookup on Splunk Search. 08-20-2021 07:41 AM
- Posted [Lookup] Unable to filter/display out data from modify lookup on Splunk Search. 08-20-2021 07:38 AM
- Posted Re: How to calculate duration time after office hour within a month on Splunk Search. 03-16-2021 06:54 AM
- Posted Re: How to calculate duration time after office hour within a month on Splunk Search. 03-15-2021 08:40 PM
- Karma Re: How to calculate duration time after office hour within a month for tscroggins. 03-15-2021 08:18 PM
- Posted How to calculate duration time after office hour within a month on Splunk Search. 03-14-2021 12:43 AM
- Tagged How to calculate duration time after office hour within a month on Splunk Search. 03-14-2021 12:43 AM
- Tagged How to calculate duration time after office hour within a month on Splunk Search. 03-14-2021 12:43 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 |
12-15-2023
02:28 AM
Hi, we also experience this issue, where we observed the initial mail received by user will be display next 24 hours after user received. Need help if there any mitigation for almost real time also can be good.
... View more
08-20-2021
07:41 AM
Im sorry, inside both lookup, there are three column: process, process_path, allow_lists column allow_lists is set for "true" on all row.
... View more
08-20-2021
07:38 AM
Hi Splunkers, I have query where i want to filter out all the legitimate process by path process which ive identify that path is legit. Basically this query i custom from ESCU, where all the element i already setup to match exactly the same with the existing escu query. What i expect is the result display will be not from the lookup (whitelist process) that i call from the query. Field : process , process_path | tstats `security_content_summariesonly` count values(Processes.dest) as dest values(Processes.user) as user min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes by Processes.process_name, Processes.parent_process_path | rename Processes.process_name as process, Processes.parent_process_path as process_path | rex field=user "(?<user_domain>.*)\\\\(?<user_name>.*)" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search [| tstats count from datamodel=Endpoint.Processes by Processes.process_name, Processes.parent_process_path | rare Processes.process_name limit=30 | rename Processes.process_name as process, Processes.parent_process_path as process_path | lookup update=true lookup_rare_process_allow_list_default2 process, process_path OUTPUTNEW allow_list | where allow_list="false" | lookup update=true lookup_rare_process_allow_list_local2 process, process_path OUTPUT allow_list | where allow_list="false" | table process process_path ] | `detect_rare_executables_filter` as you can see above query, the second "tstats" consist of two lookup, which first lookup definition (lookup_rare_process_allow_list_default2) is whitelist on totally existing process (ex: splunk process) and the second lookup definition used (lookup_rare_process_allow_list_local2) is the all list of whitelist process. The above query is running fine if i change both lookup definition line into below: | lookup update=true lookup_rare_process_allow_list_default2 process OUTPUTNEW allow_list | where allow_list="false" | lookup update=true lookup_rare_process_allow_list_local2 process OUTPUT allow_list | where allow_list="false" But what i want is not on the field=process, but on field=process_path. I've read the doc for lookup and other community postage, seem should be no issue. No error display for first query if run. Just result is empty and i think some string is not pass to display the result. Really glad if someone can help me on this. thanks!
... View more
03-16-2021
06:54 AM
hi @tscroggins thanks for your suggest. Its work, but it separate each field which the duration of it also will be split. | stats range(_time) as duration by date_day user src_ip srcPort dest_ip dstPort dstService | stats sum(duration) as duration by user src_ip srcPort dest_ip dstPort dstService | sort 0 + user - duration | streamstats values(src_ip) as src_ip values(srcPort) as srcPort values(dest_ip) as dest_ip values(dstPort) as dstPort values(dstService) as dstService count by user duration | where count <4 | fieldformat duration=tostring(duration,"duration") What i would expect is something like stats values, where it would be display like below. Sample as above comment that i mention. User src_ip src_port dest_ip dest_port service duration 10.1.1.1 22 10.1.1.1 80 http A 10.1.1.2 23 10.1.1.2 443 https 45h 22m 3s 10.1.1.3 25 10.1.1.3 8447 https 10.1.1.4 25 10.1.1.4 80 http B 10.1.1.5 37 10.1.1.5 443 https 40h 22m 3s 10.1.1.6 445 10.1.1.6 8447 https
... View more
03-15-2021
08:40 PM
Hi tscroggins, Thank you for your sharing idea, looks like i manage to get the duration and seem accurate for me. Kudos to you. However, i wonder if can i use this topic to list out top 3 src_ip, src_port, dest_ip, dest_port, service by using stats values? or is it need to change to dc(field) first before get back the values? what i understand when using the stats values(field), it will list out all the values from the field. i can limit it using eval field = mvindex(field,0,2) --> for three field, but it will return on the first three field value that it capture. Ex output: User src_ip src_port dest_ip dest_port service duration A 1.1.1.1 22 1.1.1.1 80 http 45h 22m 3s 2.2.2.2 445 2.2.2.2 443 https 3.3.3.3 53 3.3.3.3 53 dns For now i have to do it manually for each user n all the detail from the user. really helpful if get breakthrough this problem.
... View more
03-14-2021
12:43 AM
Im currently having trouble with query to get result of user activity duration after office hour within a month. i expected result will be like below: Query A: user A = 13d 22h 12m 2s user B = 10d 15h 27m 3s OR Query B: user A=320h 23m 2s user B=267h 42m 1s Both answer can be acceptable for me to get as i try multiple set of query for the result above. Both query take time range after 5.30pm until 8.00am only for a month. Below sample query : Query A: | eval date_hourmin = strftime(_time, "%H%M") | where date_hourmin>=1730 OR date_hourmin<=800 | transaction user,date_hourmin | stats sum(duration) as duration by user | sort - duration | eval string_dur = tostring(round(duration), "duration") | eval formatted_dur = replace(string_dur,"(?:(\d+)\+)?0?(\d+):0?(\d+):0?(\d+)","\1d \2h \3m \4s") | eval result=replace(formatted_dur, "^d (0h (0m )?)?","") | table user duration string_dur formatted_dur result Query B: | eval date_hourmin = strftime(_time, "%H%M") | where date_hourmin>=1730 OR date_hourmin<=800 | convert timeformat="%b %Y" ctime(_time) as date_month | streamstats earliest(date_hourmin) as time_in latest(date_hourmin) as time_out by date_month | eval duration=time_out-time_in | stats values(src_ip) as SourceIP values(srcPort) as SourcePort values(dstService) as DestService earliest(time_in) as TimeIn latest(time_out) as TimeOut values(dest_ip) as DestIP values(dstPort) as DestPort sum(duration) as TotalDuration count by date_month,user | eval secs=TotalDuration%60,mins=floor((TotalDuration/60)%60),hrs=floor((TotalDuration/3600)%60) | eval HOURS=if(len(hrs)=1,"0".tostring(hrs), tostring(hrs)),MINUTES=if(len(mins)=1,"0".tostring(mins), tostring(mins)),SECONDS=if(len(secs)=1,"0".tostring(secs), tostring(secs)) | eval Time=HOURS.":".MINUTES.":".SECONDS | table user SourceIP SourcePort DestIP DestPort DestService Time count | sort - duration limit=10 Both query display the result, HOWEVER, its look like both query are not giving accurate result. Ive been struggling for this kind of query for a month now, perhaps im missing something here. Really appreciated if anyone can help n assist on this. TQ.
... View more
- Tags:
- duration
- time_range
Labels
- Labels:
-
eval
-
fields
-
stats
-
transaction
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
12-15-2023
06:05 AM
|
