Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About hiteshkh
hiteshkh
Explorer
Member since:
09-17-2021
03-27-2023
Community Statistics
| Posts | 6 |
| Solutions | 1 |
| Karma Given | 0 |
| Karma Received | 1 |
| Member Since | 09-17-2021 |
Activity Feed
- Posted Re: Looking to join the SC4S Slack on Splunk Search. 09-22-2021 01:41 PM
- Posted Looking to join the SC4S Slack on Splunk Search. 09-22-2021 01:04 PM
- Posted Re: Extracting Source Network Address from Windows Logs on Splunk Search. 09-20-2021 10:47 AM
- Tagged Re: Extracting Source Network Address from Windows Logs on Splunk Search. 09-17-2021 11:35 AM
- Tagged Re: Extracting Source Network Address from Windows Logs on Splunk Search. 09-17-2021 11:35 AM
- Tagged Re: Extracting Source Network Address from Windows Logs on Splunk Search. 09-17-2021 11:35 AM
- Tagged Re: Extracting Source Network Address from Windows Logs on Splunk Search. 09-17-2021 11:35 AM
- Tagged Re: Extracting Source Network Address from Windows Logs on Splunk Search. 09-17-2021 11:35 AM
- Posted Re: Extracting Source Network Address from Windows Logs on Splunk Search. 09-17-2021 10:32 AM
- Got Karma for Re: Extracting Source Network Address from Windows Logs. 09-17-2021 10:20 AM
- Posted Re: Extracting Source Network Address from Windows Logs on Splunk Search. 09-17-2021 09:58 AM
- Posted Extracting Source Network Address from Windows Logs on Splunk Search. 09-17-2021 09:05 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 |
09-22-2021
01:04 PM
Hi, im attempting to setup the Splunk connect 4 syslog. Im getting some issues and could use some assistance troubleshooting. It seems the slack is restricted to some corporate emails. Is there a way to add my company/account so I can register and work with other users for troubleshooting?
... View more
09-20-2021
10:47 AM
The previous Query was counting all events displayed. I modified this further and now I can get a failure count by ip. index=windows EventCode=4625 ip!="private ip range to exclude" ip!="127.0.0.1" ip!="::1" ip!="-" | stats count as failures by ip, EventCode, ComputerName,| table EventCode ip failures ComputerName | sort failures | reverse In addition you can easily add hostnames you wish to exclude with the line below by adding this before the | stats ComputerName!="hostname you'd like to exclude that's noisy or you're aware of"
... View more
09-17-2021
10:32 AM
Finalized working query index=windows EventCode=4625 ip!="private ip range to exclude" ip!="127.0.0.1" ip!="::1" ip!="-" ComputerName!="hostname you'd like to exclude that's noisy or you're aware of" | eventstats count as "EventCount" by EventCode | table EventCode EventCount ip ComputerName | sort EventCode | where EventCount>80
... View more
09-17-2021
09:58 AM
1 Karma
I was able to write regex to extract it. Source Network Address:(?<ip>.\S+) The Issues I had and remediations 1. The splunk Field Extractor window would cut off Microsoft windows event payloads by a half. So I could not select the field. 2. Splunk auto associates strings and ip's etc to a common field that can be utilized to be remapped across the environment so it can learn what these are. For example an IP Address is associated with <IP> 3. The Regex is not like normal regex that I'm used to for example (.?*) 4. The Source Network Address would pull back private IP's and public IP's Across the same event code. I extracted the private ones, then tried to find the IP field in the verbose mode search. Unfortunately, it wouldn't populate. So I re-ran the search and extracted the public IP field under the same field (Source Network Address) and then extracted it and named it Source Network Address -pub. This then populated my public ip's.
... View more
09-17-2021
09:05 AM
Im working on extracting Source Network Address's from Splunk I've spent the past few hours defining my query and after a few days of researching and troubleshooting got it narrowed to the following. The problem is the Source_Network_Address in windows event logs appears without spaces and the query is pulling data back that is not accurate for me. Im looking for Public IP's RDPing to a host not private IPs. index=windows EventCode=4625 Source_Network_Address!="127.0.0.1" Source_Network_Address!="::1" | eventstats count as "EventCount" by EventCode | table EventCode EventCodeDescription EventCount Source_Network_Address ComputerName | sort EventCode | where EventCount>80 Yes I've tried excluding internal subnets however this is still not giving me expected output. I need a way to extract Source Network Address without spaces. https://community.splunk.com/t5/Splunk-Search/Need-to-pull-IP-from-Message-field/m-p/559816 I tried this however we are not extracting it via the IP Field. When I go to extract the regex after searching by event count and index the field gets cut off in the regex editor that loads up. Not sure how to proceed here.
... View more
Labels
- Labels:
-
regex
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
03-27-2023
03:14 PM
|
