×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
jmgonzalez
Observer
Member since: ‎08-17-2022
‎08-24-2022
Community Statistics
Posts 2
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎08-17-2022
View All

Re: How to exclude events with same session_id - R...

by in Splunk Enterprise Security
‎08-24-2022 08:24 AM
‎08-24-2022 08:24 AM
After including the "session_id" field within the tstats command, in the BY clause to extract it, we have observed that some results are excluded where there are several different values in the session_id field. ... View more

How to exclude events with same session_id - Remot...

by in Splunk Enterprise Security
‎08-17-2022 02:54 AM
‎08-17-2022 02:54 AM
Hello, We are trying to modify the existing query in the "Remote Desktop Network Bruteforce" correlation search present in the Splunk ES use cases to exclude events with the same session_id. The original query is:   | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.app=rdp by All_Traffic.src All_Traffic.dest All_Traffic.dest_port | eventstats stdev(count) AS stdev avg(count) AS avg p50(count) AS p50 | where count>(avg + stdev*2) | rename All_Traffic.src AS src All_Traffic.dest AS dest | table firstTime lastTime src dest count avg p50 stdev | `remote_desktop_network_bruteforce_filter`   We have tried using the "dedup" command and the "distinct_count" function of stats command without success. Thanks in advance, Best Regards, ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎08-24-2022 07:47 AM