×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
NorthropGrumman
New Member
Member since: ‎07-16-2025
‎07-21-2025
Community Statistics
Posts 3
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎07-16-2025
Activity Feed
Topics I've Started
View All

Re: SOCKS proxy traffic

by in Splunk Search
‎07-16-2025 05:43 AM
‎07-16-2025 05:43 AM
This resulted in the same source IP in multiple rows, I need it by source IP. ... View more

Re: SOCKS proxy traffic

by in Splunk Search
‎07-16-2025 04:33 AM
‎07-16-2025 04:33 AM
I had already tried that annoyingly it looked like this:   index=*proxy* SOCKS | eval destination=coalesce(dest, dest_port) | rex field=url mode=sed "s/^SOCKS:\/\/|:\d+$//g" | eval network=case(match(src_ip,"<REDACTED>"),"user",1=1,"server") | eval Proxy_day = strftime(_time, "%d-%m-%y") | join type=left max=0 src_ip [ search index=windows_events EventID=4624 NOT src_ip="-" NOT user="*$" | stats count by IpAddress, user | rename IpAddress as src_ip | rename user as win_userid | fields - count ] | eval userid=coalesce(userid, win_userid) | join type=left max=0 userid [ search index="active_directory" | stats count by username, fullname, title, division, mail | rename username as userid ] | rename src_ip as "Source IP" | sort -Proxy_day | stats values(mail) as "Email Address" values(username) as "User ID" values(destination) as Destination values(network) as Network values(Proxy_day) as Day values(url) as URL by "Source IP" | eval "Email Address"=mvindex('Email Address',0,4), Day=mvindex(Day,0,4), URL=mvindex(URL,0,4)   It reduced the source IP's to below what was visible on a unfiltered search which meant it was removing results that I needed. ... View more

SOCKS proxy traffic

by in Splunk Search
‎07-16-2025 02:43 AM
‎07-16-2025 02:43 AM
Hi everyone and thanks in advance. I'm trying to collate all our SOCKS traffic on our network over the last 90 days. Our IP's rotate and as a result I can't run this search for all time, I have to run it for 90 days individually, Which is where I got to here: index=*proxy* SOCKS earliest=-1d latest=-0d | eval destination=coalesce(dest, dest_port), userid=coalesce(user, username) | rex field=url mode=sed "s/^SOCKS:\/\/|:\d+$//g" | eval network=case(match(src_ip,"<REDACTED>"),"user",1=1,"server") | stats values(domain) as Domain values(userid) as Users values(destination) as Destinations by url, src_ip, network | convert ctime(First_Seen) ctime(Last_Seen) | sort -Event_Count | join type=left max=0 src_ip [ search index=triangulate earliest=-1d latest=-0d |stats count by ip,username |rename username AS userid |rename ip as src_ip ] | join type=left max=0 src_ip [ search index=windows_events EventID=4624 NOT src_ip="-" NOT user="*$" earliest=-1d latest=-0d | stats count by IpAddress, user | rename IpAddress as src_ip | rename user as win_userid | fields - count ] |eval userid=coalesce(userid, win_userid) | join type=left max=0 userid [ search index="active_directory" earliest=-1d latest=-0d | stats count by username,fullname,title,division,mail | rename username as userid ] Then a colleague suggested I do it slightly differently and run it over the 90 days but link it together which is where we got to here: index=*proxy* SOCKS | eval destination=coalesce(dest, dest_port) | rex field=url mode=sed "s/^SOCKS:\/\/|:\d+$//g" | eval network=case(match(src_ip,"<Redacted>"),"user",1=1,"server") | eval Proxy_day = strftime(_time, "%d-%m-%y") | join type=left max=0 src_ip [ search index=windows_events EventID=4624 NOT src_ip="-" NOT user="*$" | stats count by IpAddress, user | rename IpAddress as src_ip | rename user as win_userid | fields - count ] | eval userid=coalesce(userid, win_userid) | join type=left max=0 userid [ search index="active_directory" | stats count by username, fullname, title, division, mail | rename username as userid ] | rename src_ip as "Source IP" | stats values(mail) as "Email Address" values(username) as "User ID" values(destination) as Destination values(network) as Network values(Proxy_day) as Day values(url) as URL by "Source IP" However the problem I'm running into now is in the data produced there could be 100's of URL's / Emails / Day associated with the source IP which makes the data unactionable and actually starts to break a .csv when exported. Would anyone be able to help? Ideally I'd just like the top for example 5 results, but I've had no luck with that or a few other methods I've tried. Even SplunkGPT is failing me - is it even possible? ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎07-21-2025 12:45 AM