Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About jcorkey
jcorkey
Explorer
Member since:
07-14-2017
06-05-2020
Community Statistics
| Posts | 41 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 1 |
| Member Since | 07-14-2017 |
Activity Feed
- Got Karma for How do I get data into the splunk's security essentials app?. 06-05-2020 12:48 AM
- Posted Need help forming search string to show when users create new users on Splunk Search. 09-05-2017 11:51 AM
- Tagged Need help forming search string to show when users create new users on Splunk Search. 09-05-2017 11:51 AM
- Posted Why is my Linux Auditd app confusing the UID's with POSIX users? on All Apps and Add-ons. 09-01-2017 12:53 PM
- Posted Why can't I use my lookup command after stats command in my search string on Splunk Search. 08-31-2017 11:41 AM
- Tagged Why can't I use my lookup command after stats command in my search string on Splunk Search. 08-31-2017 11:41 AM
- Tagged Why can't I use my lookup command after stats command in my search string on Splunk Search. 08-31-2017 11:41 AM
- Posted Re: Help finding all users on my system on Deployment Architecture. 08-28-2017 06:58 AM
- Posted Re: Help finding all users on my system on Deployment Architecture. 08-28-2017 06:56 AM
- Posted Help finding all users on my system on Deployment Architecture. 08-28-2017 05:32 AM
- Tagged Help finding all users on my system on Deployment Architecture. 08-28-2017 05:32 AM
- Posted Re: Need help creating search to list all existing users on server. on Splunk Search. 08-25-2017 11:33 AM
- Posted Re: Need help creating search to list all existing users on server. on Splunk Search. 08-25-2017 11:15 AM
- Posted Need help creating search to list all existing users on server. on Splunk Search. 08-25-2017 11:01 AM
- Tagged Need help creating search to list all existing users on server. on Splunk Search. 08-25-2017 11:01 AM
- Posted Re: How can I retrieve a list of LDAP users in my Splunk search? on Splunk Search. 08-24-2017 06:16 AM
- Posted Re: How can I retrieve a list of LDAP users in my Splunk search? on Splunk Search. 08-24-2017 06:14 AM
- Posted Re: How can I retrieve a list of LDAP users in my Splunk search? on Splunk Search. 08-24-2017 06:13 AM
- Posted Re: How can I retrieve a list of LDAP users in my Splunk search? on Splunk Search. 08-23-2017 05:59 AM
- Posted Re: How can I retrieve a list of LDAP users in my Splunk search? on Splunk Search. 08-22-2017 10:55 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
09-05-2017
11:51 AM
I have a linux box with a universal forwarder sending linux data to my Splunk enterprise. I am trying to detect when a user creates another user by running useradd User2
Below is my search string:
index=main host=myhost useradd
This gives me the logs I want but how do I know the username of the user that created the new user?
For example. User1 creates User2....The logs show that User2 was created but it only shows the uid of User1 who did the creating and it does not tell me the actual username which should be User1.
How do I get the username of the user who creates new users??
... View more
09-01-2017
12:53 PM
I have the latest version of Linux Auditd, version 2.0.5. I go to the configuration tab in the linux auditd app and click submit to run the dashboard searches so it will learn all the posix users. I have recently deleted some users and now the uids of existing users are matched with deleted users. For example, my current existing user is tuser and its uid is 1007 but now when I search index=* host=MY_HOST auid=1007 the field user in the "Interesting Fields section" on the Splunk web says jonny NOT tuser and that is because I recently deleted a user named jonny and create tuser and then refreshed the linux auditd dashboard to learn to posix users and now its confused.
I have seen others talking about this problem and people have said this issue was fixed in the latest version but I am having problems with it WITH the latest version of linux auditd. Its really messing up my searches that are relying on the user field.
Who can help me??
... View more
08-31-2017
11:41 AM
I am trying to use stats command to display data organized by My_Field where My_Field is populated by running lookup my_lookup_script username AS user
Here's the example of the search string:
| stats STUFF by My_Field | lookup my_lookup_script username AS user
My problem is that My_Field is not populated for the stats command to use because the lookup command happens after the stats command. I tried simply running the lookup BEFORE the stats command but the lookup needs to run at the end of the search because if it does not then the lookup does not work properly. If the lookup runs before the stats command It gets inconsistent values for user . Seems like the lookup has to be at the end so the whole search can finish running and have the correct data in user for the script to use.
How can I have the lookup run after that stats command to where the stats command can use the My_Field
... View more
08-28-2017
06:58 AM
linux users NOT splunk users...I edited my questions above. And thanks I'll look into your suggestion.
... View more
08-28-2017
05:32 AM
I have splunk enterprise running on a linux box and I also have splunk universal forwarder running on a second linux box. How can I write a search that will display all currently existing users on my universal forwarder? I'm not talking about showing logs that are associated with all users...I simply want a list of all users on my forwarder that exist at the time the search was ran.
EDITED:
For example....If I login to my linux box that has the universal forwarder on it and run adduser user1, adduser user2, adduser user3,
THEN on my Splunk enterprise I could run my search string and it would list user1, user2, user3 (given that those were the only three users that exist on my linux universal forwarder).
How can I accomplish this? What data do I need to get from my forwarder?
... View more
08-25-2017
11:33 AM
I see. So the users that get listed from index = _audit user=* are users on the splunk web(Splunk enterprise) and then users that are listed from index=* user=* | stats count by user are users on the forwarders that are sending data to the splunk data indexes?
I need the search to list all users on my forwarder. I can use index=* user=* | stats count by user which shows the count of logs organized by all users but I if I were to delete one of the users it would still show that deleted user because its looking at the all logs. I need my search to be able to list users that current exist on the forwarder. Is it possible to search some kind of data on my forwarder that shows all current existing users?
... View more
08-25-2017
11:15 AM
oh ok. I think I am wondering what is the difference between the data indexes vs splunk internal indexes?
... View more
08-25-2017
11:01 AM
I am confused about something. I have seen people using this to get a list of users on a system:
rest /services/authentication/users splunk_server=local
But If i do a search like this:
index=* user=* | stats count by user
I also see users listed in the "user" field under "interesting fields"
The user names in the results of both of these searches are different. So my question is, what is the difference between the results of these searches which both seems to give a some list of users on the system.?
... View more
08-24-2017
06:16 AM
other Rhel systems at large. We are using openLdap and have different Ldap clients which use the Ldap server for authentication.
... View more
08-24-2017
06:14 AM
Im using openldap and SA-LDAPSearch is for active directory
... View more
08-24-2017
06:13 AM
I would use this but I am using Rhel machines not windows
... View more
08-23-2017
05:59 AM
Yea I have permissions. But this doesn't sound like what I need or maybe I just don't fully understand what this is doing. I need to be able to actually connect to my LDAP server and get a list of privileged group members from the LDAP.
... View more
08-22-2017
10:55 AM
Will this work on a linux box??
... View more
08-22-2017
09:09 AM
I need to create a search that can retrieve a list of privileged group members from my LDAP server so I can then use that list in my search string.
For example, if I wanted to list all users who are or are not privileged group members I could say something like:
index=* user=* | stats count by user (EXCLUDING ALL OTHER USERS IN THE LIST OF LDAP PRIVILEGED GROUP MEMBERS I RETRIEVED)
I have looked into trying to use a external scripted lookup that will connect to my LDAP and do a query but no luck yet.
I am also seeing some answers that say to use something like this:
| rest /services/authentication/users splunk_server=local | table realname
no idea what exactly that does or what/where /services/authentication/users is.
How can I accomplish this?
... View more
08-10-2017
10:49 AM
Is there a way to have the script run whenever the search is ran which will then populate the CSV and then use the CSV in the search rather than have it scheduled periodically?
... View more
08-10-2017
09:27 AM
I know that using inputlookup will use a CSV file but is it possible to have a script create the CSV file that inputlookup will use?
I know I can use a scripted lookup but this requires arguments to be passed into the script when all I want is a script to create a CSV for me that inputlookup will then use
For example, a stanza in the transforms.conf for a CSV lookup might be as follows:
[listofspecialusers]
filename = specialusers.csv
instead of that could I do something like this below:
[listofspecialusers]
filename = scriptToCreateSpecialUsersCSV.py
So then that python script will create my CSV instead of already having a CSV file created to list in the stanza.
how can I accomplish this??
... View more
08-07-2017
11:44 AM
I am confused about how to use what you wrote. Can you show an example?
... View more
08-07-2017
11:20 AM
I am trying to set a token to have the following regex value rex "by (?<SU>[^(]+)" . This regex is part of a larger search string.
This line of code <set token="searchstring">| rex "by (?<SU>[^(]+)"</set> almost works but it is having problems with the < > signs surrounding the SU in the regex. Because of the <SU> it gets an "unexpected close tag" error.
How can I escape the < > signs so that the token will properly hold my regex with these symbols?
... View more
08-04-2017
10:13 AM
Below is my drilldown code:
<drilldown>
<condition field="Switched to different user account">
<set token="user">$click.value$</set>
<link target="_blank">search?q=index="*" host="*" sourcetype="*" "su:" "session opened for user" | rex "by (%3F<SU>[^(]%2b)" | search SU="$user$" | table _time, SU, user | rename SU as "User", user as "Switched to user"&earliest=-168h@h&latest=now</link>
</condition>
<condition field="Added new user to group">
<set token="user">$click.value$</set>
<link target="_blank">search?q=index="*" host="*" sourcetype="*" user=$user$ "usermod" OR "visudo" AND "type=USER_MGMT" add-user-to-shadow-group | table _time, user, acct, grp | rename acct as "Added to group", grp as "group"&earliest=-168h@h&latest=now</link>
</condition>
<condition field="Created new user">
<set token="user">$click.value$</set>
<link target="_blank">search?q=index="*" host="*" sourcetype="*" user=$user$ useradd "type=ADD_GROUP" | table _time, user, acct | rename acct as "Created user"&earliest=-168h@h&latest=now</link>
</condition>
<condition field="Executed sudo command">
<set token="user">$click.value$</set>
<link target="_blank">search?q=index=* sourcetype=* type="USER_CMD" host=* user=$user$ (action=success OR action=failure OR action=unknown) * | table _time host user cwd command action&earliest=-168h@h&latest=now</link>
</condition>
<condition>
<!-- Optional No Drilldown from other columns-->
</condition>
</drilldown>
Right now you can see that the time range on this code it &earliest=-168h@h&latest=now AKA the last 7 days.
But how do I make this time range based on whatever the time range is set to on the visualization chart before an item is click and this drilldown code is executed? I don't want a set time range hard coded into the drilldown code like it is here, I want it to be whatever it is set to on the panel where my visualization chart is.
How do I accomplish this?
... View more
08-04-2017
08:40 AM
Below is my search string:
| multisearch [search index="*" host="*" sourcetype="*" user="*" useradd "type=ADD_GROUP" | eval rectype1="Created new user"] [search index=* host=* sourcetype="*" "usermod" AND "type=USER_MGMT" | eval rectype2="Added new user to group"] [search host="*" index="*" sourcetype="*" "su:" "session opened for user" | eval Date=strftime(_time, "%Y/%m/%d") | rex "by (?[^(]+)" | rex "^[^\)\n]*\):\s+\w+\s+\w+\s+\w+\s+\w+\s+(?P\w+)" | eval rectype3= "Switched to different user account"] [search index=* host=* sourcetype="*" user="*" "type=USER_CMD"(action=success OR action=failure OR action=unknown) | eval rectype4="Executed sudo command"] | stats dc(rectype4) as "Executed sudo command", dc(rectype3) as "Switched to different user account" , dc(rectype2) as "Added new user to group", dc(rectype1) as "Created new user" by user
Below is my image of the results:
You can see that these users have committed these actions listed on the right side of the chart such as, executing sudo commands, creating new users etc etc and that why they are listed on the chart, however, each bar for each user is the same height as the others. I want the bars to be measured buy the count of how many times a user has commit these actions. For example, if user hacker switches to a different user account 5 different times, that yellow block will be at a height of 5 according to a numbered range on the left side of the chart. Right now the numbered range on the left side is 0.5 to 1.5 and I don't understand why that is.
how can I accomplish this?
... View more
08-03-2017
08:50 AM
I have found the answer...Just had to use click.value instead of click.value2
... View more
08-03-2017
08:38 AM
Below is my search on my dashboard:
| multisearch [search index=* host=* sourcetype="*" user="*" "type=ADD_USER" | eval rectype1="Created new user"] [search index=* host=* sourcetype="*" "usermod" AND "type=USER_MGMT" | eval rectype2="Added new user to group"] [search host="*" index="secure_logs" sourcetype=linux_secure "su:" "session opened for user" | eval Date=strftime(_time, "%Y/%m/%d") | rex "by (?<user>[^(]+)" | rex "^[^\)\n]*\):\s+\w+\s+\w+\s+\w+\s+\w+\s+(?P<userOfInterest>\w+)" | eval rectype3= "Switched to different user account"] | stats dc(rectype3) as "Switched to different user account" , dc(rectype2) as "Added new user to group", dc(rectype1) as "Created new user" by user
Below is my drilldown:
<drilldown>
<condition field="Switched to different user account">
<set token="user">$click.value2$</set>
<link target="_blank">search?q=host="*" index="*" user=$user$ sourcetype=linux_secure "su:" "session opened for user" | rex "by (%3F<user>[^(]%2b)" | rex "^[^\)\n]*\):\s%2b\w%2b\s%2b\w%2b\s%2b\w%2b\s%2b\w%2b\s%2b(%3FP<userOfInterest>\w%2b)" | table _time, userOfInterest, user | rename userOfInterest as "User", user as "Switched to user"&earliest=-4h@h&latest=now</link>
</condition>
<condition field="Added new user to group">
<set token="user">$click.value2$</set>
<link target="_blank">search?q=index=* host=* sourcetype="*" user=$user$ "usermod" OR "visudo" AND "type=USER_MGMT" add-user-to-shadow-group | table _time, user, acct, grp | rename acct as "Newly created user", grp as "Added to group"&earliest=-4h@h&latest=now</link>
</condition>
<condition field="Created new user">
<set token="user">$click.value2$</set>
<link target="_blank">search?q=index=* host=* sourcetype="*" user=$user$ useradd "type=ADD_USER" | rex "^[^=\n]*=(%3FP<userOfInterest>\w )" | table user, id | rename id as "Added user's id"&earliest=-4h@h&latest=now</link>
</condition>
<condition>
<!-- Optional No Drilldown from other columns-->
</condition>
</drilldown>
Right now the <set token="user">$click.value2$</set> in my drilldown grabs the values of the rectype in my search on click. I really need it to grab the value of the user which is how the stats chart is been listed "by user" at the end of my search string. I want to have the value instead of the rectype values that is gets when I click.
How can I accomplish this?
... View more
08-03-2017
06:51 AM
I have dashboard with a search showing a list of users who have done a few specific things. If those users have done those things within the specified time range, they are displayed in the visualization chart. I have my own custom drill downs working right now.
Here is my drill down:
<drilldown>
<condition field="Switched to different user account">
<link target="_blank">search?q=host="*" index="*" user="*" sourcetype=linux_secure "su:" "session opened for user" | rex "by (%3F<user>[^(]%2b)" | rex "^[^\)\n]*\):\s%2b\w%2b\s%2b\w%2b\s%2b\w%2b\s%2b\w%2b\s%2b(%3FP<userOfInterest>\w%2b)" | table _time, user, userOfInterest | rename userOfInterest as "Switched to user"&earliest=-4h@h&latest=now</link>
</condition>
<condition field="Added new user to group">
<link target="_blank">search?q=index=* host=* sourcetype="*" user="*" "usermod" OR "visudo" AND "type=USER_MGMT" add-user-to-shadow-group | table _time, user, acct, grp | rename acct as "Newly created user", grp as "Added to group"&earliest=-4h@h&latest=now</link>
</condition>
<condition field="Created new user">
<link target="_blank">search?q=index=* host=* sourcetype="*" user="*" useradd "type=ADD_USER" | rex "^[^=\n]*=(%3FP<userOfInterest>\w )" | table user, id | rename id as "Added user's id"&earliest=-4h@h&latest=now</link>
</condition>
<condition>
<!-- Optional No Drilldown from other columns-->
</condition>
</drilldown>
Notice how in each search string under each condition there is a user=""? Well, right now each drilldown search grabs all users because of this BUT how can I have it to where the user field in the drilldown search string will equal whichever user is clicked from the visualization chart? For example, if I click the user "bob" that is list in my visualization chart, I want the user field in my drill down search string to then be user="bob", not user="" like it is right now.
How can I accomplish this?
... View more
08-03-2017
05:59 AM
Thanks. I am just trying to figure out how to execute any search string when one of those three items are clicked from the visualization table. I want to use a regex so I can easily use this search on different Splunk enterprises without having to configure the extraction on each Splunk instance for right now.
... View more
