Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About rookie507SL
rookie507SL
New Member
Member since:
07-21-2017
06-05-2020
Community Statistics
| Posts | 13 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 0 |
| Member Since | 07-21-2017 |
Activity Feed
- Posted Re: When I search for top public IP addresses results include my LAN subnet on Splunk Search. 11-08-2017 08:59 AM
- Posted Re: When I search for top public IP addresses results include my LAN subnet on Splunk Search. 11-08-2017 08:44 AM
- Posted When I search for top public IP addresses results include my LAN subnet on Splunk Search. 11-07-2017 02:10 PM
- Tagged When I search for top public IP addresses results include my LAN subnet on Splunk Search. 11-07-2017 02:10 PM
- Tagged When I search for top public IP addresses results include my LAN subnet on Splunk Search. 11-07-2017 02:10 PM
- Tagged When I search for top public IP addresses results include my LAN subnet on Splunk Search. 11-07-2017 02:10 PM
- Posted Re: Compare two fields (IP addresss) from 2 different vendor firewalls on Splunk Search. 10-27-2017 09:26 AM
- Posted Re: Compare two fields (IP addresss) from 2 different vendor firewalls on Splunk Search. 10-27-2017 09:11 AM
- Posted Compare two fields (IP addresss) from 2 different vendor firewalls on Splunk Search. 10-26-2017 05:02 PM
- Tagged Compare two fields (IP addresss) from 2 different vendor firewalls on Splunk Search. 10-26-2017 05:02 PM
- Tagged Compare two fields (IP addresss) from 2 different vendor firewalls on Splunk Search. 10-26-2017 05:02 PM
- Tagged Compare two fields (IP addresss) from 2 different vendor firewalls on Splunk Search. 10-26-2017 05:02 PM
- Tagged Compare two fields (IP addresss) from 2 different vendor firewalls on Splunk Search. 10-26-2017 05:02 PM
- Tagged Compare two fields (IP addresss) from 2 different vendor firewalls on Splunk Search. 10-26-2017 05:02 PM
- Posted Re: Average of web requests blocked - span of 10 minutes on Splunk Search. 09-13-2017 06:52 AM
- Posted Average of web requests blocked - span of 10 minutes on Splunk Search. 09-06-2017 04:32 PM
- Tagged Average of web requests blocked - span of 10 minutes on Splunk Search. 09-06-2017 04:32 PM
- Tagged Average of web requests blocked - span of 10 minutes on Splunk Search. 09-06-2017 04:32 PM
- Tagged Average of web requests blocked - span of 10 minutes on Splunk Search. 09-06-2017 04:32 PM
- Posted Re: How to should I perform a lookup between a url field and a url column inside a kv store file? on Splunk Search. 07-24-2017 09:16 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
11-08-2017
08:59 AM
Sorry, I have to re-state my first query.
The action is not "allowed", it is "blocked".
In this scenario, for some reason if I state src_interface as WAN, the results show src=172.20.X.X IP addresses.
... View more
11-08-2017
08:44 AM
Hi DalJeanis,
Thanks for your reply.
Actually, your query prints the results I was expecting. I can see that column "SRC" brings me Private and Public IP addresses, and each of these match the interface column "src_interface".
So, for example, results with "src_interface" as "WAN", all IPs in column "src" are Public IP. On the other hand, results with "src_interface" as "LAN", all IPs in column "src" are Private IP (subnet 172.20.X.X).
But, it is not clear for me yet, why the first query I tried, did not work if I stated src_interface=WAN. I would understand that results or events should include only Public IP addresses.
... View more
11-07-2017
02:10 PM
Hi mates,
I'm figuring out the reason, why I'm looking LAN addresses as source IP if my search is clearly filtering inbound traffic, coming from Internet.
Is it possible that could be related to something wrong in the firewall ?
For example, if I perform this search
index=index-example sourcetype=firewall src_interface=WAN action=allowed | stats count by src dest service | sort 10 - count
For the query above, I expected to received at the top, public IP addresses. Instead I received subnet IPs 172.20.X.X/24 which is my LAN subnet.
... View more
10-27-2017
09:26 AM
Hi kamlesh_vaghela,
Thanks for your reply, I really appreciate.
I'm able to get a table in the statistics tab with the 2 fields, srcfw1 and DiffIP but, IP addresses do not match. Actually, when I look for the Events tab, I only see 1 sourcetype.
If I do both searches independently, I can see that results march some IP addresses in both searches.
... View more
10-27-2017
09:11 AM
Hi HiroshiSatoh,
Yes, thanks for your reply.
When I do the "set diff", I actually get some IP addresses for the DiffIP table in the statistics tab, but cannot confirm if this data comes from the 2 firewalls (2 sourcetypes) since I cannot see logs in the Event tab.
... View more
10-26-2017
05:02 PM
Hi mates,
I'm figuring out how I can show a table with matching IP addresses from 2 different vendor firewalls.
So far I've tried with the "join" statement in order to do a 2nd search and then, an if statement in order to compare. Here is my search:
index=index-company sourcetype=firewall1 NOT srcIP=172.20.* | stats count by srcIP | sort 10 -count | rename srcIP as "srcfw1" | join [search index=index-company sourcetype=firewall2 NOT srcIP2=172.20.* | stats count by srcIP2 | sort 10 -count ] | eval DiffIP=if(srcfw1==srcIP2, srcIP2 ,srcfw1) | table srcfw1 DiffIP
Unfortunately, I do not get results 😞
Any help would be appreciated.
... View more
09-13-2017
06:52 AM
Sorry for the late response.
Really thank you for your reply, it worked.
... View more
09-06-2017
04:32 PM
Hi mates,
I'm trying to get the most 10 IP addresses with blocked web requests during a month, but the threshold should be using the count of requests during a 10 minutes window.
This is my query so far
index=index-example dest_interface=wan_if sourcetype=source_example action=blocked subtype=webfilter | bucket _time span=10m
| stats count by source_ip URL
| where count > 50
If I use the query above, I will get the IP addresses and URL visited. But, if I search for a month using this query, I will get a sum of the "count" value, getting results of 7,000 for example.
I would like to get an average of the count value, and this way I can see which IP addresses are involved in this type of traffic.
I read about using avg(field), but I cannot decide where to use it. I thought about including "stats avg(count)" but I cannot get results.
Please, any idea would be appreciated.
Thanks !
... View more
07-24-2017
09:16 AM
thanks for your comment my friend.
I'm just a little confused about the last "rename" statement, which field should I rename ? url ?
I really sorry since I'm new using splunk and I've just started to understand the logic of the application.
... View more
07-24-2017
09:04 AM
Hi my friend, thanks again for your help.
I tried your suggestion, but back slashes appears as new url value if I print the results, something like this "https:\example[.]com".
In order to be sure that there is a match between both url values (event url and url in lookup db) I performed and eval
my search | eval url=case(service=="HTTP","http:\/\/".url,service=="HTTPS","https:\/\/".url)
| eval url=replace(url,"/","") | lookup threat_source url_threat as url | eval url_state = if(url_threat==url,"MATCH","NO MATCH") | table _time,src,dest,url,url_state
Unfortunately, I get "no match" for the final table.
... View more
07-21-2017
01:41 PM
Sorry to bother again, but I think I have to restate my first post....
Original url field coming from events will use this format
url=graph.facebook.com/ (here, the last character for all url fields finish with "/")
The lookup table shows this
url=http://graph.facebook.com
I tried this search
mysearch | eval url=case(service_field==HTTP,"http://".url,service_field==HTTPS,"https://".url) | eval url=replace(url,"/"," ") | lookup threat_source url_threat as url | table url
Since my original log brings http and https services, I was thinking about adding the "http(s)://" and deleting the "/", but I do not get results neither.
... View more
07-21-2017
12:43 PM
Thanks for your response, I will try the replace
... View more
07-21-2017
10:54 AM
Hi guys,
I'm figuring out which steps should I follow in order to perform a lookup between a url field and a url column inside a kv store file.
For example, my events bring this url field like this
url=graph.facebook.com/ (here, the last character for all url fields finish with "/")
But, let's say that my lookup table will have URL like this
url=graph.facebook.com
For some reason, if I perform the search "| lookup threat_source field_threat as url" , I cannot get any results because of the last "/" character in the original even, which is not included in my lookup file.
We were thinking about performing a wildcard in order to search for any string.
Please any help would be appreciated.
Regards,
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:03 AM
|
