Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About LoganRhamy
LoganRhamy
New Member
Member since:
01-05-2018
06-05-2020
Community Statistics
| Posts | 13 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 0 |
| Member Since | 01-05-2018 |
Activity Feed
- Posted Re: two indexes on Splunk Search. 03-29-2018 07:43 AM
- Posted Re: two indexes on Splunk Search. 03-29-2018 07:36 AM
- Posted two indexes on Splunk Search. 03-29-2018 07:23 AM
- Tagged two indexes on Splunk Search. 03-29-2018 07:23 AM
- Tagged two indexes on Splunk Search. 03-29-2018 07:23 AM
- Posted Re: Random line breaks everything on Splunk Search. 02-14-2018 01:15 PM
- Posted Re: Random line breaks everything on Splunk Search. 02-14-2018 08:07 AM
- Posted Re: Random line breaks everything on Splunk Search. 02-14-2018 06:31 AM
- Posted Re: Random line breaks everything on Splunk Search. 02-14-2018 06:30 AM
- Posted Random line breaks everything on Splunk Search. 02-13-2018 02:36 PM
- Tagged Random line breaks everything on Splunk Search. 02-13-2018 02:36 PM
- Posted Re: How do I sort vulnerabilities by reltime? on Splunk Search. 02-13-2018 11:35 AM
- Posted How do I sort vulnerabilities by reltime? on Splunk Search. 02-13-2018 10:58 AM
- Tagged How do I sort vulnerabilities by reltime? on Splunk Search. 02-13-2018 10:58 AM
- Tagged How do I sort vulnerabilities by reltime? on Splunk Search. 02-13-2018 10:58 AM
- Posted Re: Eval and stats not bring friendly on Splunk Search. 01-05-2018 12:47 PM
- Posted Re: Eval and stats not bring friendly on Splunk Search. 01-05-2018 11:55 AM
- Posted Eval and stats not bring friendly on Splunk Search. 01-05-2018 11:40 AM
- Tagged Eval and stats not bring friendly on Splunk Search. 01-05-2018 11:40 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
03-29-2018
07:43 AM
Yes it is a dashboard search that is just opened in search so we are 100% sure of the match query and time frame.
No errors occur besides the lack of results from one of the indexes
... View more
03-29-2018
07:36 AM
Thank you for the quick answer. When Power user searches bar alone he gets results. I assume that would mean he has access to search that index. Let me know if I am mistaken.
... View more
03-29-2018
07:23 AM
A power user cannot get results from index=* or index=foo OR index=bar when an admin can
Below is the authorize.conf changes
[role_user]
srchMaxTime = 8640000
srchDiskQuota = 250
[role_admin]
srchIndexesDefault = main
srchMaxTime = 8640000
[role_power]
cumulativeRTSrchJobsQuota = 400
cumulativeSrchJobsQuota = 200
srchFilter = *
srchMaxTime = 8640000
When the power user runs the query they are getting results from foo index but nothing from bar index. When the Power user run index=foo he gets results and when he runs index=bar he gets results.
When the admin user run the query they are getting results from both foo and bar indexes.
Let me know what I might be missing to get the fixed for our power users.
Best regards,
Logan Rhamy
... View more
02-14-2018
01:15 PM
I understand now, So changing the join type to left, outer, or inner did not make any improvements. I have also confirmed the signature_id match by copying one from the csv and adding it directly to the query.
Let me explain what I am trying to do because I am also open to other ways to get it done.
I need to produce a dashboard that will show a signature, who it is assigned too, any notes on the event, and when it was first seen. I also need a count of how many Hosts in our current environment have it.
Lines 1,2,3 7-10 complete the first task without a problem. It is when I introduce the subsearch that is supposed to tell me how many hosts currently have the issue is where we run into problems. I run the primary search for 100 days because I need to know if it is older than 90 days since the first time that signature was seen. I run the sub search at 4 days because that will capture what is required to see what hosts are currently affected.
... View more
02-14-2018
08:07 AM
So the join type is something I have never worked with before. When I started building my query it didn't work with the default and did work with the outer. That being said there has been a lot of changes since then so I am not 100% sure if it is still required.
So I think we are focusing in on the wrong problem. I am getting results from the query without a problem. I am not getting the results from the sub search. If I remove the line | search assigned_person="Ryan*" then I will get results from the sub search but the results will not be filtered to only include Ryan's only.
I did get results from both of your above queries as expected.
... View more
02-14-2018
06:31 AM
There is -
The referenced field in the lookup csv is populated by only Ryan (last name) or Drew (last name)
... View more
02-14-2018
06:30 AM
My apologizes for not being more thorough. No value populates during the run or once the job has been completed.
The field in the lookup is populated by only Ryan (last name) or Drew (last name)
... View more
02-13-2018
02:36 PM
earliest=-30d index=nessus OR index=nessus_workstation severity_id!=0 severity_id!=1
| lookup nessusLookup.csv signature_id OUTPUT assigned_person status notes
| reltime
| join type=outer signature_id
[ search earliest=-4d index=nessus OR index=nessus_workstation severity_id!=0 severity_id!=1
| stats count(dest_mac) as TotalHosts by signature_id ]
| search assigned_person="Ryan*"
| sort -severity_id -_time -TotalHosts
| table signature signature_id severity_id assigned_person status notes reltime TotalHosts
| rename signature as Signature signature_id as ID severity_id as Severity assigned_person as Owner status as Status notes as Notes reltime as "First Seen" TotalHosts as "Total Hosts"
When I run this query the Total Hosts column does not populate.
When I take out | search assigned_person="Ryan*" it runs fine
I have no earthly idea why this is breaking in that way. Any thoughts internet?
... View more
- Tags:
- search
02-13-2018
11:35 AM
switched the lookup to lookup nessusLookup.csv signature_id OUTPUT signature_id assigned_person status notes
works like a charm. I knew I was missing the forest from the trees, thank you
... View more
02-13-2018
10:58 AM
earliest=-100d index=nessus OR index=nessus_workstation severity_id!=0 severity_id!=1
| dedup signature_id sortby _time
| join signature_id
[ inputlookup nessusLookup.csv
| fields signature_id assigned_person status notes]
| search assigned_person="ryan*"
| reltime
| join type=outer signature_id
[ search earliest=-4d index=nessus OR index=nessus_workstation severity_id!=0 severity_id!=1
| stats count(dest_mac) as TotalHosts by signature_id ]
| sort -reltime -severity_id -TotalHosts
| table signature signature_id severity_id assigned_person status notes reltime TotalHosts
| rename signature as Signature signature_id as ID severity_id as Severity assigned_person as Owner status as Status notes as Notes reltime as "First Seen" TotalHosts as "Total Hosts"
The problem:
So I am wanting to sort vulnerabilities by the oldest one first. When I go through reltime Splunk sorts the string realtime returns. So instead of 28 days being smaller than 1 month it is marked as bigger. I have been fighting with this for a little bit now and I just think I am only seeing trees instead of the forest. Anyone want to poke me and send me off down the right path?
The query:
The first two lines are to get the base data where I want it to be
the first join adds my lookup table to the mix (I do not want them to be automatic lookups)
Then we filter for Ryan
Then we add reltime
the second join is so we only see the hosts most recently affected instead of getting all hosts that have ever been affected
then we sort
then we make a table
and we tidy up by renaming
... View more
01-05-2018
12:47 PM
The first query solves it for me. You are correct I will change it but the stats count killing all my fields was my issue.
Thank you very much for the help!
... View more
01-05-2018
11:55 AM
The only problem is if there is a value I need to evaluate if it states up or down. If there is no results then I can assume it is up.
... View more
01-05-2018
11:40 AM
index=ios host=1.1.0.2 src_ip="1.2.2.1" "NBRCHANGE"
| head 1
| eval status = if(like(_raw, "%down%"), 1 , 0)
| stats count
| eval status=if(count==0, "up", status)
| table status
This seems to be a simple query but for some reason it really does not like me.
I am wanting to return a default value of "up" if there is no results found.
Long Explanation:
I am creating a dashboard that will tell us if an interface on a router is down. Since our Index is large and is no position to be adjusted I am only checking for changes in the log over the last 30 days. At the end of the 30 days the dashboard will produce "No results found" because there has been no events in the last 30 days that matches the search. Because of this I want to setup a default value that will return.
I have tried:
fillnull
| eval noResults = if(searchmatch("NBRCHANGE"),1,0)
| stats count as myCount sum(noResults) AS noResults
| eval noResults=if(myCount=="0",0,noResults)
| eval status = case(noResults=="0", "first result returned", noResults!="0", if(like(_raw, "%down%"), "second result returned", "third result returned"))
| table status
... View more
- Tags:
- eval
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:03 AM
|
