Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About dharveynswccd
dharveynswccd
Path Finder
Member since:
11-15-2017
11-25-2020
Community Statistics
| Posts | 57 |
| Solutions | 1 |
| Karma Given | 4 |
| Karma Received | 7 |
| Member Since | 11-15-2017 |
Activity Feed
- Karma Re: Can I run the btool command on a universal forwarder without running shell or powershell script? for bandit. 06-05-2020 12:50 AM
- Got Karma for Re: Error in 'eval' command: The expression is malformed. An unexpected character is reached at '0)'.. 06-05-2020 12:50 AM
- Got Karma for How can I automate the data on-boarding process?. 06-05-2020 12:50 AM
- Got Karma for Requesting Assistance Writing a Search Request. 06-05-2020 12:50 AM
- Got Karma for Re: Requesting Assistance Writing a Search Request. 06-05-2020 12:50 AM
- Got Karma for Re: Requesting Assistance Writing a Search Request. 06-05-2020 12:50 AM
- Karma Re: Not receiving logs from Syslog Server for damode. 06-05-2020 12:49 AM
- Got Karma for Re: why splunk community people not voting and not accepting answer to appreciate. 06-05-2020 12:49 AM
- Got Karma for Re: why splunk community people not voting and not accepting answer to appreciate. 06-05-2020 12:49 AM
- Karma Re: Learning Splunk to perform UBA for smoir_splunk. 06-05-2020 12:48 AM
- Karma Re: Need Help Installing/Configuring Splunk for VMWare App for bbingham. 06-05-2020 12:46 AM
- Posted Re: Generate report for top 10 web category usage on Reporting. 02-18-2020 10:39 AM
- Posted Re: Generate report for top 10 web category usage on Reporting. 02-18-2020 10:09 AM
- Posted Re: Generate report for top 10 web category usage on Reporting. 02-18-2020 09:50 AM
- Posted Re: Generate report for top 10 web category usage on Reporting. 02-18-2020 07:29 AM
- Posted Re: Generate report for top 10 web category usage on Reporting. 02-18-2020 06:03 AM
- Posted Generate report for top 10 web category usage on Reporting. 02-18-2020 05:59 AM
- Tagged Generate report for top 10 web category usage on Reporting. 02-18-2020 05:59 AM
- Posted Re: How to correlate the admin user with a GPO change? on All Apps and Add-ons. 01-10-2020 06:35 AM
- Posted Re: How do I write a search to track all changes performed in a Linux system? on Deployment Architecture. 12-10-2019 08:52 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 |
02-18-2020
10:39 AM
Nice, thanks again!!
... View more
02-18-2020
10:09 AM
@nickhillscpl, how would I tabulate the number of hits against each category?
... View more
02-18-2020
09:50 AM
This is great @nickhillscpl. Thanks much
... View more
02-18-2020
07:29 AM
When I ran that I got no results and no errors. If I remove "transaction src" i see results but simply line-by-line per src. You asked about having every url reported. That is something that I can do without and simply do drilldowns after the report is generated, as I realize that there will be a huge number of URLs.
... View more
02-18-2020
06:03 AM
Sorry, the header should have stated "Generate report for top 10 web category usage"
... View more
02-18-2020
05:59 AM
Hey guys, I'm trying to complete a report to show the top web users in my environment that are accessing websites that fall under a certain category.
My search thus far :
index="proxi" sourcetype="prxy" src="*" |stats count by src category url
|where count > 1
|sort - count
This produces results 1 line at a time. However, what I'd like to accomplish is a cumulative number of categories for each user (src) and all the urls associated with those categories. So my table would look something like this:
src category url
XX.XXX.XX.X Advertisements https://ib.adnxs.com
Information Technology https://btlr.sharethrough.com
Web Collaboration https://portal.engilitycorp.com
XX.XXX.XX.X Search Engines and Portals https://www.gstatic.com
News and Media https://smetrics.cnn.com
Business and Economy https://ssc.33across.com
I am not totally convinced that my method is the most efficient so I'm open to suggestions
... View more
- Tags:
- splunk-enterprise
01-10-2020
06:35 AM
Hey guys, this thread is a bit old but it's the only that came close to what I was looking for.
So I ran this search with a little modification to match my domain name and basically came up with nothing. I tested it line-by-line and the only time I can get any results is when the following line is ommited:
|ldapfilter domain=MyDomainName search="(&(Objectclass=groupPolicyContainer)(|(cn=$gpo_guid$)(displayName={}*)))" attrs="displayName"
I am trying to get in my results, the name name of GPOs being created/modified/deleted, etc and who made the changes
Please let me know if anyone has any solutions. Thanks
... View more
12-10-2019
08:52 AM
Hi richgalloway, what setting can I check to find out if I have the necessary configs in order to log Linux systems changes?
... View more
12-10-2019
08:03 AM
Lately I've been experiencing certain issues which indicates to me that changes are being made on some Linux systems. However, my Linux admin is denying making those changes and pointing the blame elsewhere. So I'd like to be able to track who is deleting/making changes to files/directories and/or the overall system itself. Thanks
... View more
12-05-2019
06:40 AM
Good 2 know
... View more
12-05-2019
06:13 AM
1 Karma
David I awarded you 2 points. Hope that's a good reward. Not sure what the norm is.
... View more
12-05-2019
06:11 AM
1 Karma
Worked! Thanks for the assists!!
... View more
12-05-2019
05:43 AM
You are indeed correct. Earlier when I was writing the search I followed the auto-complete in the search bar which led me to that. I just changed that to windows_cpu_load_percent and I am now seeing results, even writing the search 2 different ways. I still need to dumb it down a little but the 2 below seem to work:
index=oswinperf sourcetype="Perfmon:CPU"
| bucket _time span=30m
| eval Load=if(windows_cpu_load_percent>=90,"CRITICAL",if(windows_cpu_load_percent>=80,"WARNING",""))
| table Load _time host windows_cpu_load_percent
| sort - count windows_cpu_load_percent
| dedup host
| rename Load as severity
I'm still trying to determine how to convert a decimal to a whole number in the percentage column. Any thoughts on this?
... View more
12-05-2019
04:58 AM
@DavidHourani,
Thanks for the response to my question. Unfortunately I received the "no results" even after changing the Warning and Critical values to much lower numbers.
... View more
12-04-2019
12:25 PM
Edit: The second to last line here should read:
I would like to convert the results in the "Value" field to actual percentages
... View more
12-04-2019
12:23 PM
1 Karma
I am writing a search which I intend to use to create an alert from. I keep getting "No Results" from this search unless I remove the third line (where Percent.........). Something is wrong with that filter but I can't seem to figure out what it is.
Here is the search:
index=oswinperf sourcetype="Perfmon:CPU" counter="% Processor Time" OR counter="% Processor Time" OR counter="% C2 Time"
| eval level=if(PercentUsedSpace>=90,"CRITICAL",if(PercentUsedSpace>=80,"WARNING",""))
| where PercentUsedSpace >=80
| table level _time host Value
| sort - PercentUsedSpace
| dedup host
| rename level as severity
My intended result is something like this:
Severity Time Host Value
I would like to convert the results in the field to actual percentages.
Any help is appreciated. Thanks
... View more
- Tags:
- splunk-enterprise
11-21-2019
04:26 AM
So this looked great until I realized that the search did not complete. It actually crashed with the following error messages:
"DAG Execution Exception: Search has been cancelled"
"Search auto-canceled"
When the search is run using a Relative Time of "Today" or 4 hours etc, the search completes with no errors. However, if it goes beyond that then it it fails. Could this have something to do with the following lines?
| stats count values(_time) as time by src,dest,query
| convert ctime(time) as time
... View more
11-21-2019
03:11 AM
This is great. Much better results and the search ran much faster. Thanks mayurr98
... View more
11-20-2019
11:24 AM
@mayurr98, thanks for replying.
So here is a small snippet of what the report looks like:
src dest query _time count
ip address ip address 0.122.168.192.in-addr.arpa 2019-11-20T11:01:29.366-0500 1
ip address ip address 1.219.46.130.in-addr.arpa 2019-11-20T11:06:26.186-0500 1
ip address ip address 101.248.223.199.in-addr.arpa 2019-11-20T11:04:32.154-0500 1
ip address ip address 114.219.46.130.in-addr.arpa 2019-11-20T11:15:58.810-0500 1
ip address ip address 123.200.159.162.in-addr.arpa 2019-11-20T11:15:43.689-0500 1
ip address ip address 123.36.79.45.in-addr.arpa 2019-11-20T11:15:40.626-0500 1
ip address ip address 142.208.169.198.in-addr.arpa 2019-11-20T11:15:40.805-0500 1
ip address ip address 150.63.29.193.in-addr.arpa 2019-11-20T11:15:42.015-0500 1
ip address ip address 183.219.46.130.in-addr.arpa 2019-11-20T11:15:58.318-0500 1
ip address ip address 43.219.46.130.in-addr.arpa 2019-11-20T11:15:58.561-0500 1
ip address ip address 43.219.46.130.in-addr.arpa 2019-11-20T12:15:58.561-0500 1
ip address ip address 45.219.46.130.in-addr.arpa 2019-11-20T11:15:58.435-0500 1
ip address ip address 45.219.46.130.in-addr.arpa 2019-11-20T11:16:58.436-0500 1
ip address ip address 52.227.46.130.in-addr.arpa 2019-11-20T11:14:49.375-0500 1
ip address ip address 4.0.22.224.in-addr.arpa 2019-11-20T11:08:21.380-0500 2
I'm seeing multiple duplicates of the same query, but with only a few seconds, or minute difference in some cases. I am trying to prevent those duplicate query types from showing in the report and only show the total number of hits for each unique query. Hope this is clearer. Thanks
... View more
11-20-2019
10:19 AM
Hi Splunkers. I'm not very good with writing more complicated searches so I am seeking your help.
I wrote a search to build a report looking for excessive DNS queries. It looks like this:
| from datamodel:"Network_Resolution"."DNS"
| search src="IP" OR src="IP"
| stats count by src,dest,query, _time
| addcoltotals
|dedup _time
What I'd like to be able to do is total all of the results from the "query" column, related to a specific IP, in the "count" column at the end and then subsequently provide a grand total column at the end of the report. Right now I'm being presented with single lines for each hit, which is still helpful but too much for management to peer through.
Any help will be appreciated. Thanks
... View more
- Tags:
- splunk-enterprise
06-21-2019
03:10 AM
1 Karma
Funny thing happened. I decided to run it again this morning on a different SH prior to making any changes and it ran just fine. Still will not work on the first SH so that's something I gotta figure out. Much appreciate the inputs. Thanks guys
... View more
06-20-2019
10:35 AM
Hi guys, Pulled this search off gosplunk's website and tried to run it in my test environment, and received the error above. Not exactly sure what to fix in the 'eval' command. This is supposed to alert for potential Windows suspicious activity.
Can anyone lend some advice, please?
sourcetype="WinEventLog:Security" EventCode=4688 NOT (Account_Name=*$) (arp.exe OR at.exe OR bcdedit.exe OR bcp.exe OR chcp.exe OR cmd.exe OR cscript.exe OR csvde OR dsquery.exe OR ipconfig.exe OR mimikatz.exe OR nbtstat.exe OR nc.exe OR netcat.exe OR netstat.exe OR nmap OR nslookup.exe OR netsh OR OSQL.exe OR ping.exe OR powershell.exe OR powercat.ps1 OR psexec.exe OR psexecsvc.exe OR psLoggedOn.exe OR procdump.exe OR qprocess.exe OR query.exe OR rar.exe OR reg.exe OR route.exe OR runas.exe OR rundll32 OR schtasks.exe OR sethc.exe OR sqlcmd.exe OR sc.exe OR ssh.exe OR sysprep.exe OR systeminfo.exe OR system32\\net.exe OR reg.exe OR tasklist.exe OR tracert.exe OR vssadmin.exe OR whoami.exe OR winrar.exe OR wscript.exe OR "winrm.*" OR "winrs.*" OR wmic.exe OR wsmprovhost.exe OR wusa.exe)
| eval Message=split(Message, ".")
| eval Short_Message=mvindex(Message,0)
| table _time, host, Account_Name, Process_Name, Process_ID, Process_Command_Line, New_Process_Name, New_Process_ID, Creator_Process_ID, Short_Message
... View more
05-17-2019
05:26 AM
@khanlarloo, did you enable WinEventLog:Security input on your DC as suggested by richgalloway? I also have the Splunk App for Windows Infrastructure installed and I am getting those reports. From Active Directory drop-down, go to Users>>User Reports>>Domain Accounts: New, or Domain Accounts: Deleted. Works!
... View more
02-12-2019
03:25 AM
Done as requested!
... View more
02-11-2019
11:53 AM
@maciep, thanks. I worked with my Linux admin and he determined that there was a corrupted directory that needed fsk performed. I'm back in business now.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
11-25-2020
03:30 PM
|
Karma from
| User | Karma Count |
|---|---|
| 1 | |
| 1 | |
| 3 | |
| 1 | |
| 1 |
