×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
yanisA
Explorer
Member since: ‎06-29-2021
‎06-23-2022
Community Statistics
Posts 5
Solutions 0
Karma Given 3
Karma Received 0
Member Since ‎06-29-2021
Activity Feed
View All

How to create search to filter on a field after re...

by in Splunk Search
‎06-23-2022 12:38 AM
‎06-23-2022 12:38 AM
Hello, I need to create a search that will display results based on a specific value. My issue is that the following search does not return any result. In penultimate line, when I replace user_ip by index_field1="1.2.3.4" it works and when I remove both last lines I can see user_ip well contains "1.2.3.4"... But index_field1=user_ip does not match, same for index_field2... index=... | eval field1="1.2.3.4:100" | rex field=src_ip_port "(?<user_ip>.+)\:(?<user_port>.+)" | table user_ip user_port | search index_field1=user_ip index_field2=user_port | table index_field1 index_field2 user_ip user_port Thanks by advance for your feedback. ... View more
Labels

Re: Problem on collect of Firewalls failed authent...

by in All Apps and Add-ons
‎08-18-2021 04:30 AM
‎08-18-2021 04:30 AM
Hi @gcusello Thanks for your response 🙂 Exactly, your understanding is good. We are going to check the configuration files related to the sourcetypes, both TA are already installed. I will come back to you soon Yanis ... View more

Problem on collect of Firewalls failed authenticat...

by in All Apps and Add-ons
‎08-18-2021 02:12 AM
‎08-18-2021 02:12 AM
Hi, For security monitoring matters, we are trying to collect authentication logs from Fortigate and Palo Alto devices but we only receive success events. We also need to get failed events. We don't think the problem is due to devices configuration because other SIEM can read failed authentication events with the same Log forward filters applied. Same for index=firewall_fortigate index=firewall_paloalto   Thanks by advance for your feedback ... View more

Re: Correaltion Search : Detect if an Acces Apache...

by in Splunk Enterprise Security
‎06-29-2021 04:56 AM
‎06-29-2021 04:56 AM
Hi @venkatasri , Yes that's it ! It seems to work perfectly ! Thank you so much for your help 🙂 ... View more

Correaltion Search : Detect if an Acces Apache Log...

by in Splunk Enterprise Security
‎06-29-2021 01:59 AM
‎06-29-2021 01:59 AM
Hello, We need to develop a Correlation Search to implement this algorithm : If a specific custom event (here tagged as index="custom_app" categorie="custom_log") occures for one user we trigger an alert if there is no access apache log for the same user. I have tried the following correlation search with trigger conditions : Trigger alert when Number of Results is equal to 0. index="linux_apache" sourcetype="apache:access:kv" [search index="custom_app" categorie="custom_log" | top limit=1 user | table user] | table user | dedup user   Thanks by advance for your help regarding this topic ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎06-23-2022 04:12 AM
Karma given to
View All