This was the closest solution. What I had to do in detail was install the correct TA file, which would be Security Onion instead of Zeek. I also had to properly install the TA on the SearchHead, Indexers, and UF(s). The HF in this case didn't matter because it is simply passing traffic, not forwarding it. I also realized that I had to remove previously old TA files since they were overwriting the newly installed one.   Lastly, before I restarted splunk services, ensure that you're running it as the splunk user and that the files you created/installed are owned by the splunk user. I initially had them as root which is why the files were ignored. ... View more

Data does pass through the HF onto the indexers however it doesn't do any parsing. I've places the configs on the HF anyways just to be safe but so far there has been no change. ... View more

Good Morning, Initially when I put the .conf files into the indexers, it appeared to had (mostly) worked. But it is now back to displaying a large amount of raw text. The .conf files are now on the HF as well but no changes are seen. All systems had been restarted with the new configurations and are running.   Could it possibly be a placement issue? ... View more

Good Afternoon, I attempted your solution in 2 ways based on some slight confusion. Initially I removed the MAX_TIMESTAMP_LOOKAHEAD=25 line and edited my LINE_BREAKER to match yours which did not work. Just in case I misread, I then simply commented out the LINE_BREAKER as well in case you meant to omit this as well with still no success. I am still having multiple events combined and display as raw data. Another bit of information in case it is important is that these 2 files I created are located in: /opt/splunk/etc/apps/Splunk_TA_zeek/local I created the local directory and placed the 2 custom files in there. ... View more

The query you provided does work, however it does not work for the Sankey Diagram visualization, much less any other visualization beyond a statistics table since any other doesn't display the IPs, just users and count. I'm assuming because there's now a third/fourth variable. It also doesn't provide the counts for each connection attempt to the IP. However the information is great and I'll see if I can mess around to perfect it. Any other tidbits or help would be greatly appreciated. Output: user                                                SAN                                                    Total User A                                           10.20.30.40                                     2                                                          10.20.30.50 ... View more

The syntax currently provided does give errors, stating the lookup could not be constructed based on given variables. I'll see what I can do, but I appreciate the wealth of knowledge and will accept this as the solution. ... View more

How would that look? And wouldn't that simply recycle the queries? If User A queries google at 10:00 AM, we check at 10:30 AM for a comparison for "new" queries where the query for google isn't displayed. But when we check once again at 11:00 AM, the query for google is displayed and presented as "new" because it was compared to the last 30 mins. ... View more

I am new to Splunk so I apologize. I do have Enterprise Security, and looking through documentation, I believe I created an appropriate Search-Driven Lookup. However, I do not know how to utilize it properly for the Dashboard that I am creating. How could it be applied? ... View more

By new queries, I mean I want to list only domains that haven't been earlier queried by the same src_ip. And I want to see the count of the number of times it was queried. I include the _time stats so that it (hopefully) offers me an easy reference to reach back on when I compare whether or not it was contacted before. For the mvexpand option you provided thank you. This helped. For the final question you asked along with the information you provided, yes. Once I've identified the new queries that have been reached by the individual src_ip, I would want to do an inputlookup append to the lookup file.  If everything is successful, I will modify the search query to do a tstats search instead for optimization purposes. The problem I'm currently having is trying to do a lookup and extracting the needed fields. For example, earlier I mentioned how I believed the "best" way to do it (the only way I've done it before) is to go by _time. So I currently have a query like this: Base Search | stats earliest(_time) as "earliest" count by src_ip,query | rename src_ip as "Host", query as "Query" | mvexpand Query  | inputlookup append=t file.csv | stats min(earliest) by Host,Query | outputlookup file.csv | eval isOutlier=if(earliest >= relative_time(now(), "-1d@d"), 1, 0) | convert ctime(earliest) | where isOutlier=1 Output: No Results The attempted goal of this query is to show me the outliers or "new" queries for each IP. However there's 2 -3 flaws here. 1. The line | stats min(earliest) by Host,Query is what's causing the No Results. The "Outliers" are still showing me previously queried domains. Though definitely not as many. 3. _time as I've said, isn't needed for the final results. I really only need the src_ip, new query, and count of the src_query hitting the new query. However based on a previous dashboard I created and research, this is all I have to go off of when referencing fields from a lookup. I'm attempting to modify the search now. ... View more

The final result I'm looking for is to compare DNS queries from the search query to the .csv, and display the results of only the new queries. Right now, the issue I'm having is linking the times to to the individual query. The current result I have (modified thanks to you), is this: index=nsm tag=dns query=* message_type=QUERY src_ip="10.20.30.*" NOT `MACRO` | stats earliest(_time) as earliest latest(_time) as latest values(query) as Query by src_ip This outputs the following results: src_ip                      earliest                     latest                            Query 10.20.30.40         1645963490          1646325123            www<.>google<.>com                                                                                                                www<.>youtube<.>com 10.20.30.50         1645963495          1646325130            www<.>google<.>com I also don't know if running a comparison against the .csv with the results displayed like this will actually work, does each individual query need its' own field? ... View more

ITWhisperer has provided the exact search query here: Index=nsm | stats count by src_ip,uri  | eval accesses="accessed ".uri." ".count." times" | stats list(accesses) as accesses by src_ip I was looking for an output that would display the amount of times an IP accessed a URI. I wanted to group the URIs under one IP instead of having them separated. The search query I put in this reply will display this output: 10.20.30.40 accessed www<.>youtube<.>com 7 times                           accessed www<.>google<.>com 8 times 11.21.31.41 accessed www<.>youtube<.>com 10 times ... View more

Exactly what I was looking for. Thank you. ... View more

The first query you provided as you stated only shows the total counts of connections. I'm looking  to display the count for every individual URI. The second query you provided is close since it provides the counts per URI, however it segregates the IP for every single uri. So instead of lumping all the URIs under 10.20.30.40, I instead see 10.20.30.40 multiple times for each URI. The third query doesn't provide me all of the IP's. It caps at 10 and doesn't shown anymore. Even though I know there are more IPs in my network. Again, extremely close, but it doesn't prevent all of the information I desire. ... View more

The first query you provided is close since it provides the counts per URI, however it segregates the IP for every single uri. So instead of lumping all the URIs under 10.20.30.40, I instead see 10.20.30.40 multiple times for each URI. The second query doesn't provide me all of the URI's. It caps at 10 and doesn't shown anymore. Even though I know that the IP has accessed a specific website. ... View more

Your first answer is perfect and I don't know how I was unable to get to this solution. I attempted to solve the problem initially by doing: Base Search | timechart avg(bytes_in) AND avg(bytes_out) However this would give me errors in the timechart command. I am new to Splunk and I figured I needed the specifier to explicitly state, "Include this field AND this field in the timechart". As for the second, I've ran into a post that displays it all on the time axis (kinda?), but it would only be registered to whatever day the bucket was set to. It's no big deal, I don't mind the 3 panels. I just thought there would be a more efficient way. Thank you again. ... View more

Your solution was close however the results presented seem to be the output of the division of GET/POST but not the ratio of GET/POST. In other words, instead of displaying the ratio of GET/POST as .50, it displayed it as 1,381. ... View more

Exactly what I was looking for. As I was troubleshooting it initially, I tried doing a query like this: index=nsm source="/nsm/zeek/logs/current/*http*" | timechart span=1h count(eval(method="GET")) as GET, count(eval(method="POST")) as POST | eval Ratio=round(GET/POST, 2) But it didn't dawn on me to use the table format. Leaving it as it was, only displayed the counts for the GET. Thank you for the explanation and the solution. Edit: In the event you have an additional solution to this, I inserted the code that worked in the Search Query into a panel of a Dashboard. I am trying to display my Ratio and its trend with the 'Single Value' visualization however the results always return the value '1' with no overall time/trend showing. Even though using other visualizations  such as line, bar, and stat graphs present the accurate information. If I remove the ... | table _time, Ratio, it'll display only the GET count but it would be accurate in the Single Value visualization and display the overall time. Do you know a fix for this by chance? Edit 2.0: Found the fix for this. I had to go into 'Format Visualization'  -> 'Number Format' and set the 'Precision' to '0.00'. Again, thanks for your help. ... View more