Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About Hegemon76
Hegemon76
Communicator
Member since:
03-25-2015
06-05-2020
Community Statistics
| Posts | 50 |
| Solutions | 2 |
| Karma Given | 5 |
| Karma Received | 4 |
| Member Since | 03-25-2015 |
Activity Feed
- Got Karma for Re: Field Extractor. 06-05-2020 12:50 AM
- Karma Re: Graph displays incorrectly with timechart function for niketn. 06-05-2020 12:49 AM
- Karma Re: Graph displays incorrectly with timechart function for niketn. 06-05-2020 12:49 AM
- Karma Re: Graph displays incorrectly with timechart function for niketn. 06-05-2020 12:49 AM
- Karma Re: Stats Count and/or Chart Count Graph Coloring for niketn. 06-05-2020 12:49 AM
- Karma Re: Removing ports utilizing "between" X and Y for elliotproebstel. 06-05-2020 12:49 AM
- Got Karma for Re: Stats Count and/or Chart Count Graph Coloring. 06-05-2020 12:49 AM
- Got Karma for Re: Stats Count and/or Chart Count Graph Coloring. 06-05-2020 12:49 AM
- Got Karma for Re: Removing ports utilizing "between" X and Y. 06-05-2020 12:49 AM
- Posted Re: Field Extractor on Splunk Enterprise Security. 10-24-2019 01:21 PM
- Posted Field Extractor on Splunk Enterprise Security. 10-18-2019 09:24 AM
- Tagged Field Extractor on Splunk Enterprise Security. 10-18-2019 09:24 AM
- Posted Re: Throttle not working as intended on Alerting. 08-19-2019 12:27 PM
- Posted Re: Throttle not working as intended on Alerting. 08-19-2019 12:05 PM
- Posted Throttle not working as intended on Alerting. 08-19-2019 11:37 AM
- Posted Re: Splunk Enterprise Security: Pulling data from message field on Splunk Enterprise Security. 08-09-2019 06:24 AM
- Posted Re: Splunk Enterprise Security: Pulling data from message field on Splunk Enterprise Security. 08-08-2019 09:32 AM
- Posted Re: Splunk Enterprise Security: Pulling data from message field on Splunk Enterprise Security. 08-07-2019 02:36 PM
- Posted Splunk Enterprise Security: Pulling data from message field on Splunk Enterprise Security. 08-07-2019 02:30 PM
- Tagged Splunk Enterprise Security: Pulling data from message field on Splunk Enterprise Security. 08-07-2019 02:30 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
10-24-2019
01:21 PM
1 Karma
Ya I realize the parsing could/should be better but unfortunately I don't have that type of administrative control.
Capping it at 20 lines makes no sense at all.
... View more
10-18-2019
09:24 AM
Hello,
The field extractor stops at line 20. If what I am looking for is on a line after that what can I do to pull that information?
I have looked for other threads to no avail. If one exists please by all means point me in that direction.
Thanks
... View more
08-19-2019
12:27 PM
It still triggered and by switching that box to once you can't throttle on specific fields.
... View more
08-19-2019
12:05 PM
I'm wondering though if I set it to once.
Lets says workstations A, B and C all get infections within 24 hours. Does it fire per station or just fire once and then stop because the condition was met?
... View more
08-19-2019
11:37 AM
Hello,
I have not utilized throttling before and wanted to try it out on an event I know is happening all the time. The purpose of doing this is I have another alert I want to make for when a host is infected 10 times within a 24 hour period of time and want to make sure I'm doing it correctly because that alert probably (hopefully) will never fire.
product=windows name"An account was successfully logged on" user=Administrator earliest=-1h | transaction Workstation_Name | search eventcount >10 | table Workstation_Name, user
I have this alert scheduled for every hour at 45 on the hour and to fire when the number of results is greater than 0 on every result. I clicked throttle and suppressed the Workstation_Name field for 2 hours but the alert fires every hour still? This seems straight forward but I'm obviously doing something wrong. Mind you this event fires around 4 thousand times an hour.
As I am writing this the only thing I foresee being an issue outside of getting the actual throttle to work is defining the time within a specific days 24 hour period of time. 00:00:00 to 23:59:59. Will I need to do that within the search itself if so how?
Thank you for the help.
... View more
08-09-2019
06:24 AM
Hey!
I reached out to a buddy of mine after attempting to utilize the regex extractor/delimitor to no avail and he came up with something very similar.
Message=(?[^:]+):\s(?[^\s]+)
I'm going to use that regex helper online and figure out regex at this point. Makes life easier obviously....
Thanks!
... View more
08-08-2019
09:32 AM
Exactly right but the message field has a bunch of unnecessary information.
I don't need to see all of this:
Message=Spyware/Grayware: HackTool.VBS.InviBat.AComputer: PATELS-E7470Domain: Adgrouping\Corp.root.ipc.com\Na\Myhnj\Workstations\WINDOWS 7\Date/Time: 8/7/2019 12:04:21Result: Further action required
I just want to see this part:
Spyware/Grayware: HackTool.VBS.InviBat.
From there I can orient the data but the parsing part is causing me the issue. I was just attempting to provide an entire picture of the end goal.
... View more
08-07-2019
02:36 PM
It did not bold for me....
This is the part in question:
Spyware/Grayware: HackTool.VBS.InviBat.
... View more
08-07-2019
02:30 PM
Hello,
I have been trying unsuccessfully parse/filter the data from the message field:
Message= Spyware/Grayware: HackTool.VBS.InviBat. AComputer: PATELS-E7470Domain: Adgrouping\Corp.root.ipc.com\Na\Myhnj\Workstations\WINDOWS 7\Date/Time: 8/7/2019 12:04:21Result: Further action required
Specifically the bolded part. Essentially what I need to do is remove the "threat event" from Trend Micro logs coming into the SIEM. I was able to do this with the following string but the requirement changes in terms of what we are trying to do with these events once they are parsed/filtered (regex or the line you will see below assuming I even did that correctly).
| eval Message=split(Message,".") | eval Short_Message=mvindex(Message,0,2) | table Short_Message
I suspect the Spyware/Grayware may change but I would really like to get either both the segment containing Spyware/Grayware: "threat name" or just the "threat name" somehow. Once that is accomplished I want to create an alert for ten threat events with the same name within 24 hours and another alert when the same machine gets 10 events within 24 hours.
I know I can do this with something like:
|where match(message,"Spyware") |transaction | search eventcount>=20
Keep in mind...I was trying this on the line above and apparently, you cannot use transaction command with eval commands?
Any help would be appreciated!
... View more
06-07-2019
08:44 AM
The only person who responded to this was me.....
... View more
06-03-2019
09:44 AM
No one has seen this issue before? Geez
... View more
05-31-2019
08:09 AM
Correction
The original query looks like this
product=Windows status=failure Failure_Reason="*" | stats count by Failure_Reason, Status, Workstation_Name | sort - count |
I add in "Account_Name=$Account_Name_token$" once the dashboard has been made.
... View more
05-31-2019
08:08 AM
Hello
I am wondering why when I search with the original query it pulls all of the data I want and displays it the way I want.
product=Windows status=failure Failure_Reason="*" Account_Name=$Account_Name_token$ | stats count by Failure_Reason, Status, Workstation_Name | sort - count |
However, when I input the token portion of the query and adjust the source code within the dashboard it does not display the same data?
"Account_Name=$Account_Name_token$" should not remove data right? This makes no sense to me
Attached is a picture of what the dashboard source code looks like.
I have reviewed the documentation.
I can tell you that the Splunk instance is on 6.6.2 and not 7.1 (client has been informed of this) and if that is the overriding issue obviously they need to upgrade.
I appreciate Any help or insight.
Thank you.
... View more
04-13-2018
07:40 AM
1 Karma
It works thanks!
... View more
04-12-2018
01:34 PM
Very odd that the colors don't work. Everything works not but for instance Very Low which should be blue is Orange.
Makes no sense at all.
... View more
04-12-2018
12:07 PM
1 Karma
Interesting.....so close but so far! Appreciate the assistance!
Sorting was another question so that is an added bonus. Awesome
... View more
04-12-2018
09:46 AM
Here is the full XML code and the picture of my dashboard. As you can see the results did not come out as planned.
<label>test color panel 3</label>
<row>
<panel>
<chart>
<search>
<query>product=Windows EventCode=676 OR EventCode=4771 OR EventCode=6279 | chart count by "user" | rename user as "User", count as "Count" | sort - Count | head 15 | eval Highest=if(count>100,count, 0) | eval Very_High=if(count<=100 AND count>80,count, 0) | eval High=if(count<=80 AND count>60,count, 0) | eval Moderate=if(count<=60 AND count>40,count,0) | eval Low=if(count<=40 AND count>20,count, 0) | eval Very_Low=if(count<=20, count, 0)</query>
<earliest>-30d@d</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">column</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.showDataLabels">none</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">none</option>
<option name="charting.fieldColors">{"Highest":0xbf00ff,"Very High":0xFF0000,"High":0xff8000,"Moderate":0xFFFF00,"Low":0x00FF00,"Very Low":0x0000ff}</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.placement">right</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
</chart>
</panel>
</row>
</dashboard>
... View more
04-12-2018
09:44 AM
Just tried to post the XML (yes I see the literal button....coffee was needed for days). I setup a dropbox account for the picture. Naturally I go to post both and now they don't appear. Sigh
... View more
04-12-2018
09:37 AM
<dashboard>
<label>test color panel 3</label>
<row>
<panel>
<chart>
<search>
<query>product=Windows EventCode=676 OR EventCode=4771 OR EventCode=6279 | chart count by "user" | rename user as "User", count as "Count" | sort - Count | head 15 | eval Highest=if(count>100,count, 0) | eval Very_High=if(count<=100 AND count>80,count, 0) | eval High=if(count<=80 AND count>60,count, 0) | eval Moderate=if(count<=60 AND count>40,count,0) | eval Low=if(count<=40 AND count>20,count, 0) | eval Very_Low=if(count<=20, count, 0)</query>
<earliest>-30d@d</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">column</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.showDataLabels">none</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">none</option>
<option name="charting.fieldColors">{"Highest":0xbf00ff,"Very High":0xFF0000,"High":0xff8000,"Moderate":0xFFFF00,"Low":0x00FF00,"Very Low":0x0000ff}</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.placement">right</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
</chart>
</panel>
</row>
</dashboard>
... View more
04-11-2018
04:11 PM
I asked a similar question regarding timechart. It seems like stats and chart are different.
I'm not getting any color what so ever. Very frustrating
Below is my XML:
query>product=Windows EventCode=676 OR EventCode=4771 OR EventCode=6279 | chart count by "user" | rename user as "User", count as "Count" | sort - Count | head 15 | eval Highest=if(count>100,count, 0) | eval Very_High=if(count<=100 AND count>80,count, 0) | eval High=if(count<=80 AND count>60,count, 0) | eval Moderate=if(count<=60 AND count>40,count,0) | eval Low=if(count<=40 AND count>20,count, 0) | eval Very_Low=if(count<=20, count, 0){"Highest":0xbf00ff,"Very High":0xFF0000,"High":0xff8000,"Moderate":0xFFFF00,"Low":0x00FF00,"Very Low":0x0000ff}
... View more
04-11-2018
02:27 PM
I probably need to open a new question but that doesn't work for stats count or chart count.
... View more
04-11-2018
10:22 AM
Thanks for your help!
... View more
04-11-2018
10:06 AM
Ya I tried that and it just says I don't have enough karma.
Simple fix made the chart work. This is great thanks! I'm curious what removed the "count" part though?
Was is the "|fillnull value=0" or the entirety of what you did. That was driving me nuts for around 2 days trying to figure this out.
... View more
04-11-2018
09:57 AM
So it works! This is great! Thanks niketnilay
However.....
How can I increase the size of the horizontal bar chart lines (or vertical the type of chart doesn't matter) ? Keep in mind I changed your script to this:
product=Windows EventCode=645 OR EventCode=4741
| bin _time span=1w
| stats count by _time
| eval Status=case(count>25,"Severe",
count<=25 AND count>20,"High",
count<=20 AND count>15,"Moderate",
count<=15 AND count>7,"Low",
count<=7 AND count>0,"Very Low",
true(), 0)
| timechart span="1h" sum(count) as Count by Status
| eval _time=strptime(strftime(_time,"%Y/%m/%d"),"%Y/%m/%d")
| fillnull value=0
The lines are incredibly small now (graphically) and clicking "format virtualization" to stacked or non stack doesn't do anything anymore. One issue begets another is seems.
... View more
04-11-2018
09:43 AM
I believe I have accepted!
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:03 AM
|
