Hi users, Probably a bit silly question, but because I've never seen that setup in any of Google searches, I have that simple question: I want to use a forwarder to forward logs from about 50 Windows machines. Would that single (universal forwarder) be able to receive and forward logs from all those machines? Would that be an acceptable setup? Regards ... View more

Hi all, I am filtering some logs came from Nessus in order to identify vulnerable machines based on their OS, and the issue I have is when a host's OS is not adequately identified resulting in many "os" fields. An example is the below: start_time="Mon Feb 16 03:56:07 2015" end_time="Mon Feb 16 03:57:42 2015" os="Microsoft Windows 2000" os="Microsoft Windows XP for Embedded Systems" os="Microsoft Windows XP" The query that I created for that (which only works sufficiently when 1 OS is found) is the following: sourcetype=nessus severity!=informational | rex "start_time=\"(?<start>.*)\"\send.*\s\sos=\"(?<OS>.*)\"" What I would like ideally to do, is to just find a way to filter out the " (double quote" symbol from within the extracted field. This is because apart from Windows machines, there are other printers and access points that are interpreted as many other mixed OSs. So, it should be something like this: sourcetype=nessus severity!=informational | rex "start_time=\"(?<start>.*)\"\send.*\s\sos=\"(?<OS>.*[^\"])\"" but it doesn't work. Any thoughts? Regards, Evang Update: Hi MuS, Okay, here we are. I guess I haven't stated my problem correctly. I do not want to remove the double quotes, actually, I want to only keep the first occurence of OS field in the rare cases that more than one appears! Here is what I managed to do with sed, but I am not there quite yet. sourcetype=nessus severity!=informational earliest=-5w@w1 latest=now|rex field=os mode=sed "s/.*\(os=\"[^\"]*\"\).*$/\1/g" | rex ".*os=\"(?P<OS>.*)\"\s.*\"" Any suggestions? 🙂 Regards, Evang ... View more

Hi users, I am trying to color my bar charts to help a user's eye to focus on a more meaningful way to search output. While doing some searches about that I only found that one can change the colors of a search amending js scripts which is not my speciality. Is there any other to do while extracting the fields? Here is a sample code: sourcetype=nessus severity_id!=0 earliest=-2mon@mon latest=now | timechart span=1mon dc(cve) by severity Since Nessus assigns vulnerabilities into a severity which can be "critical", "high", "medium" and "low", my chart eventually is drawn up by 4 color bars. How to color bars based on a field value? Thanks, Evang ... View more

Hi users, I automatically import some log-files to Splunk using a script. The naming convention for those files is somehow arbitrary. My aim is to produce a panel depicting the totals of the logs for each file in a stacked manner. Till here we are good. The problem is that the log-file names are pretty awkward and long given the fact that they also reveal the complete path as to where they came from. I want to present to the viewer only the most intuitive part of the log-file name. Here is what I managed to do but it doesn't work as expected. sourcetype=nessus source=*SNMP* earliest=-1mon@mon latest=now signature_id=41028| rex "source.*SNMP public community \((?<area>.*)\)" |chart count(dest_dns) by area I assume that the "source" of the file is not appeared within the log itself, maybe. And that's why I can't filter it with rex Are you aware of any other technique that might help me to display only a particular part of the source-name? Regards, Evang ... View more

Hi users, I am trying to combine the outputs of two different searches and stack them in a chart. The idea is to find the most popular IPs in my network based on vulnerability severity high OR critical, and then chart each popular IP with its respective number of vulns (high OR critical). Here is how I started dealing with this: sourcetype=nessus severity=high OR severity=critical earliest=-30d@mon latest=now| top 5 severity,dest_ip|chart sum(count) by dest_ip,severity However, the above lists only IPs with severity==high because there are more high vulns for all of the IPs. Bearing the above in mind, and hoping that I can still list the most popular IPs (total of high + critical vulns for each IP), I thought combining searches, that is have one to find the most popular IPs (high + critical) and then somehow instruct the other search to take from the listed previously IPs and list how many critical vulns. Below is the attempt: |set union [search sourcetype=nessus severity=high OR severity=critical earliest=-30d@mon latest=now| top 5 severity,dest_ip|chart sum(count) by dest_ip,severity] [search sourcetype=nessus severity=critical OR severity=high earliest=-30d@mon latest=now| top 5 severity,dest_ip| where severity=critical| chart sum(count) by dest_ip,severity] However, the above lists again only machines with high vulns. Critical ones are missing. Could anyone help? Regards, Evang ... View more

Hi, I am challenging myself to solve a problem which came up last week. The idea is to first make a set diff between two different time frames which result to an IP table, and then take all those IPs and count how many times they appeared in a much larger time frame. I have "set diff" working for now, giving me the IP table with the uncommon IPs correctly. What I can't think of, is how/where to feed this table. | set diff [search source=*Host_Enumeration* earliest=-14d@d latest=-8d@d | stats count by dest_ip |sort dest_ip | table dest_ip ] [search source=*Host_Enumeration* earliest=-7d@d latest=now | stats count by dest_ip |sort dest_ip | table dest_ip ] | search earliest=-30d latest=now | stats count(dest_ip) by dest_ip Above query works till the end of "set diff". Where everything is screwed up is on the search. I am not sure if this is very easy or not, but if you could give me a hint or whatever, I would be grateful. Regards, Evang ... View more