We have got squid proxy logs that are compared with the threat lists in splunk ES.
It works fine, but on the list on splunk ES Advanced Threat - Threatlist Activity - Threat Activity Details we only see ip addresses in the dest field.
In the log events of squid I also have the URL, which is much more human readable.
What I want is to add the field uri_host also to my data in the index=threat_activity.
It looks like the index is filled by the a saved search: Threat - Source And Destination Matches - Threat Gen
The data looks like:
11/27/2015 14:15:00 +0100, search_name="Threat - Source And Destination Matches - Threat Gen", search_now=1448630100.000, info_min_time=1448622000.000, info_max_time=1448630100.000, info_search_time=1448630114.038, dest="xxx.xxx.xx.xxx", orig_sourcetype="cisco:asa", src="yyy.yyy.yyy.yyy", threat_collection=ip_intel, threat_collection_key="emerging_threats_ip_blocklist|43.229.52.0/22", threat_key=emerging_threats_ip_blocklist, threat_match_field=src, threat_match_value="43.229.53.53"
The search looks like this:
| src_dest_tstats("allowed") | truncate_domain_dedup(src) | truncate_domain_dedup(dest) | threatintel_multilookup(src) | threatintel_multilookup(dest) | search threat_collection_key=* | fields - count | zipexpand_threat_matches | fields sourcetype,src,dest,threat*
I tried to add just | fields sourcetype,src,dest, uri_host, threat* but this is not working.
Does anybody have a description of this macros? Or where can I find them to adjust them?
... View more