Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About rororspec
rororspec
Explorer
Member since:
03-02-2018
a month ago
Community Statistics
| Posts | 8 |
| Solutions | 1 |
| Karma Given | 1 |
| Karma Received | 2 |
| Member Since | 03-02-2018 |
Activity Feed
- Posted Re: How to search/ report based on deltas threshold from weekly reports on Alerting. a month ago
- Posted How to search/ report based on deltas threshold from weekly reports on Alerting. a month ago
- Karma Re: How to get Wildcards and Special Characters on lookup table? for logloganathan. 06-05-2020 12:49 AM
- Got Karma for Re: How to get Wildcards and Special Characters on lookup table?. 06-05-2020 12:49 AM
- Got Karma for Re: How to get Wildcards and Special Characters on lookup table?. 06-05-2020 12:49 AM
- Posted Re: How to get Wildcards and Special Characters on lookup table? on Splunk Search. 03-08-2018 04:28 PM
- Posted Re: How to get Wildcards and Special Characters on lookup table? on Splunk Search. 03-08-2018 04:18 PM
- Posted Re: How to get Wildcards and Special Characters on lookup table? on Splunk Search. 03-08-2018 06:37 AM
- Posted Re: How to get Wildcards and Special Characters on lookup table? on Splunk Search. 03-05-2018 07:00 AM
- Posted Re: How to get Wildcards and Special Characters on lookup table? on Splunk Search. 03-05-2018 06:48 AM
- Posted How to get Wildcards and Special Characters on lookup table? on Splunk Search. 03-02-2018 06:46 AM
- Tagged How to get Wildcards and Special Characters on lookup table? on Splunk Search. 03-02-2018 06:46 AM
- Tagged How to get Wildcards and Special Characters on lookup table? on Splunk Search. 03-02-2018 06:46 AM
- Tagged How to get Wildcards and Special Characters on lookup table? on Splunk Search. 03-02-2018 06:46 AM
- Tagged How to get Wildcards and Special Characters on lookup table? on Splunk Search. 03-02-2018 06:46 AM
- Tagged How to get Wildcards and Special Characters on lookup table? on Splunk Search. 03-02-2018 06:46 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 |
a month ago
Thanks for the amazing corrections! Ill be cleaning that ASAP! Honestly its a weekly report so Im not sure of the value having any date there is proving as its a sum of the whole week. The weekly comparison is the bytes_in and bytes_out between src_ip and dest_ip. Honestly for my purposes that's the only fields of interest and the rest are just to aid in figuring out where the devices are and validate as expected. so for example below is a simplified version of the report previous week src_ip dst_ip gb_in gb_out 1.1.1.1 2.2.2.2 3 4 current week src_ip dst_ip gb_in gb_out 1.1.1.1 2.2.2.2 3.2 3.9 on the above scenario then that src_ip and dst_ip would be left out of the report as the values are pretty similar to what was already accepted as expected data transfers. Ideally i guess what im trying to do is baseline the report. To where if last weeks report contains the same src_ip and dst_ip with close enough gb_in gb_out (Ill adjust depending on risk appetite) from the previous week then it wont make it to the report. Once again this is super helpful! This is a great community!
... View more
a month ago
Good Afternoon, This is gonna be fun trying to explain. In essence I have a current report we use to review data transfers between hosts for excessive transfer that may be un expected. This is being done on Enterprise Security server on an accelerated data model. This unfortunately have to be manually reviewed and during those reviews I noticed some of the devices repeat each week, which we will consider "expected" behavior. Along these lines I would like to see if there's anyway to correlate the previous week transfers to get the delta and filter out anything that is within something like 5% from previous week values. I tried to make some happen with the "delta" and "timewrap" but honestly seems to be beyond my expertise and a bit of a steep learning for me. below the query producing the current report. Ideally I would like to look into the delta for gb_in or gb_out to be within the 5% but if its not feasible perhaps just do it based on the gb_total. | tstats summariesonly=true values(All_Traffic.dest_ip) as dest_ip values(All_Traffic.src_ip) as src_ip values(All_Traffic.dest_port) as dest_port values(All_Traffic.bytes_in) as bytes_in values(All_Traffic.bytes_out) as bytes_out values(All_Traffic.user) as user values(All_Traffic.dest_zone) as dest_zone values(All_Traffic.src_zone) as src_zone values(All_Traffic.rule) as rule from datamodel=Network_Traffic where All_Traffic.bytes_out > 10000000000 groupby All_Traffic.user, All_Traffic.src_ip, All_Traffic.dest_port,All_Traffic.dest_zone,All_Traffic.src_zone, host sourcetype index _time span=1s | eval _time=strftime(_time,"%Y-%m-%d %H:%M:%S") | eval total_bytes_out = sum(bytes_out) | eval total_bytes_in = sum(bytes_in) | eval gb_out = round(total_bytes_out/1024/1024/1024,2) | eval gb_in = round(total_bytes_in/1024/1024/1024,2) | sort - _time | streamstats count as No. | rename host as firewall_ip | lookup dnslookup clientip as dest_ip OUTPUT clienthost as dest_resolved_ip | lookup dnslookup clientip as src_ip OUTPUT clienthost as src_resolved_ip | eval dest_dns=if(dest_resolved_ip!="",dest_resolved_ip,dest) | eval src_dns=if(src_resolved_ip!="",src_resolved_ip,src) | eval gb_total=(gb_in+gb_out) | fields _time, firewall_ip, src_ip, src_dns, dest_ip, dest_dns, dest_port, rule, src_zone, dest_zone, gb_in, gb_out gb_total The only other option I though about was to export the result as a lookup.lastweek and then compare it with the current week which might be a bit cleaner.
... View more
Labels
- Labels:
-
other
03-08-2018
04:28 PM
2 Karma
Upon a deeper look into my csv file I noticed a formatting difference. My csv was an export of another table generated from my index=msda. I made the table with displayName and distinguishedName. The distinguishedName field has an extra comma. That my Splunk friends solve it. So moral of the story is make sure there are not format errors and the data to match. I was able to spot it by making a smaller sample to test the output. Hope this helps and apologize for the confusion.
... View more
03-08-2018
04:18 PM
My deepest apologies for any confusion this may have caused. Logic was the only element used to minus the answer as it shows as an answer. I have plus in an attempt to fix the wrong doing. I am eager to keep collaborating with the members on this wealth of knowledge.
... View more
03-08-2018
06:37 AM
I downvoted this post because no changes to the table
... View more
03-05-2018
07:00 AM
Even without the
| rename _time as Date
| convert timeformat=%F ctime(Date)
the table
| stats count by user,GUID,_time
| lookup GPO_GUID_displayName.csv GUID output displayName
| table user,GUID,displayName
user GUID displayName
XXXXX XXXXXXXX blank
... View more
03-05-2018
06:48 AM
I created the lookup. permissions are set to red for everyone
... View more
03-02-2018
06:46 AM
I'm posting this as everything I have been referencing is from years ago.
I need to relate Users to GPO changes. The problem is that the GPO's EventCode=5136 only reports the distinguishedName (DN). So I exported a GPO_GUID_displayName.csv file with the following formats.
GUID,displayName
"CN={XXXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}CN=Policies,CN=System,DC=xx,DC=xx,DC=xxx,DC=com",Windows 10
CN={XXXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}*,Default Domain Policy
CN={XXXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}CN=Policies,CN=System,DC=xx,DC=xx,DC=xxx,DC=com,DefaultDomainPolicy2
my search look like this
index="wineventlog" Class=groupPolicyContainer GUID="CN={XXXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}" OR GUID="CN={XXXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}" source="WinEventLog:Security"
| stats count by user,GUID,_time
| lookup GPO_GUID_displayName.csv GUID output displayName
| rename _time as Date
| convert timeformat=%F ctime(Date)
| table Date,user,GUID,displayName
I get everything as expected but the mythical displayName that no matter what format I use seems to always be blank. I figured that the comas on the csv for the FQDN its messing up the file which is that I'm trying to make the wildcard work with the lookup or even if the quotation would. I have looked into this whole transforms thing from past post but I simply don't get it and I'm not totally sure how to access the file as I do everything thru the web GUI. any help its appreciated.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
a month ago
|
