×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
rororspec
Explorer
Member since: ‎03-02-2018
‎12-01-2025
Community Statistics
Posts 8
Solutions 1
Karma Given 1
Karma Received 2
Member Since ‎03-02-2018
Activity Feed
View All

Re: How to search/ report based on deltas threshol...

by in Alerting
‎12-01-2025 10:07 PM
‎12-01-2025 10:07 PM
Thanks for the amazing corrections! Ill be cleaning that ASAP! Honestly its a weekly report so Im not sure of the value having any date there is proving as its a sum of the whole week.  The weekly comparison is the bytes_in and bytes_out between src_ip and dest_ip. Honestly for my purposes that's the only fields of interest and the rest are just to aid in figuring out where the devices are and validate as expected.  so for example below is a simplified version of the report previous week src_ip dst_ip gb_in gb_out  1.1.1.1 2.2.2.2 3 4   current week src_ip dst_ip gb_in gb_out  1.1.1.1 2.2.2.2 3.2 3.9   on the above scenario then that src_ip and dst_ip would be left out of the report as the values are pretty similar to what was already accepted as expected data transfers.  Ideally i guess what im trying to do is baseline the report. To where if last weeks report contains the same src_ip and dst_ip with close enough gb_in gb_out (Ill adjust depending on risk appetite) from the previous week then it wont make it to the report.  Once again this is super helpful! This is a great community!    ... View more

How to search/ report based on deltas threshold fr...

by in Alerting
‎12-01-2025 02:42 PM
‎12-01-2025 02:42 PM
Good Afternoon,  This is gonna be fun trying to explain. In essence I have a current report we use to review data transfers between hosts for excessive transfer that may be un expected. This is being done on Enterprise Security server on an accelerated data model. This unfortunately have to be manually reviewed and during those reviews I noticed some of the devices repeat each week, which we will consider "expected" behavior.  Along these lines I would like to see if there's anyway to correlate the previous week transfers to get the delta and filter out anything that is within something like 5% from previous week values.  I tried to make some happen with the "delta" and "timewrap" but honestly seems to be beyond my expertise and a bit of a steep learning for me. below the query producing the current report. Ideally I would like to look into the delta for gb_in or gb_out to be within the 5% but if its not feasible perhaps just do it based on the gb_total.   | tstats summariesonly=true values(All_Traffic.dest_ip) as dest_ip values(All_Traffic.src_ip) as src_ip values(All_Traffic.dest_port) as dest_port values(All_Traffic.bytes_in) as bytes_in values(All_Traffic.bytes_out) as bytes_out values(All_Traffic.user) as user values(All_Traffic.dest_zone) as dest_zone values(All_Traffic.src_zone) as src_zone values(All_Traffic.rule) as rule from datamodel=Network_Traffic where All_Traffic.bytes_out > 10000000000 groupby All_Traffic.user, All_Traffic.src_ip, All_Traffic.dest_port,All_Traffic.dest_zone,All_Traffic.src_zone, host sourcetype index _time span=1s | eval _time=strftime(_time,"%Y-%m-%d %H:%M:%S") | eval total_bytes_out = sum(bytes_out) | eval total_bytes_in = sum(bytes_in) | eval gb_out = round(total_bytes_out/1024/1024/1024,2) | eval gb_in = round(total_bytes_in/1024/1024/1024,2) | sort - _time | streamstats count as No. | rename host as firewall_ip | lookup dnslookup clientip as dest_ip OUTPUT clienthost as dest_resolved_ip | lookup dnslookup clientip as src_ip OUTPUT clienthost as src_resolved_ip | eval dest_dns=if(dest_resolved_ip!="",dest_resolved_ip,dest) | eval src_dns=if(src_resolved_ip!="",src_resolved_ip,src) | eval gb_total=(gb_in+gb_out) | fields _time, firewall_ip, src_ip, src_dns, dest_ip, dest_dns, dest_port, rule, src_zone, dest_zone, gb_in, gb_out gb_total   The only other option I though about was to export the result as a lookup.lastweek and then compare it with the current week which might be a bit cleaner.        ... View more
Labels

Re: How to get Wildcards and Special Characters on...

by in Splunk Search
‎03-08-2018 04:28 PM
2 Karma
‎03-08-2018 04:28 PM
2 Karma
Upon a deeper look into my csv file I noticed a formatting difference. My csv was an export of another table generated from my index=msda. I made the table with displayName and distinguishedName. The distinguishedName field has an extra comma. That my Splunk friends solve it. So moral of the story is make sure there are not format errors and the data to match. I was able to spot it by making a smaller sample to test the output. Hope this helps and apologize for the confusion. ... View more

Re: How to get Wildcards and Special Characters on...

by in Splunk Search
‎03-08-2018 04:18 PM
‎03-08-2018 04:18 PM
My deepest apologies for any confusion this may have caused. Logic was the only element used to minus the answer as it shows as an answer. I have plus in an attempt to fix the wrong doing. I am eager to keep collaborating with the members on this wealth of knowledge. ... View more

Re: How to get Wildcards and Special Characters on...

by in Splunk Search
‎03-08-2018 06:37 AM
‎03-08-2018 06:37 AM
I downvoted this post because no changes to the table ... View more

Re: How to get Wildcards and Special Characters on...

by in Splunk Search
‎03-05-2018 07:00 AM
‎03-05-2018 07:00 AM
Even without the | rename _time as Date | convert timeformat=%F ctime(Date) the table | stats count by user,GUID,_time | lookup GPO_GUID_displayName.csv GUID output displayName | table user,GUID,displayName user GUID displayName XXXXX XXXXXXXX blank ... View more

Re: How to get Wildcards and Special Characters on...

by in Splunk Search
‎03-05-2018 06:48 AM
‎03-05-2018 06:48 AM
I created the lookup. permissions are set to red for everyone ... View more

How to get Wildcards and Special Characters on loo...

by in Splunk Search
‎03-02-2018 06:46 AM
‎03-02-2018 06:46 AM
I'm posting this as everything I have been referencing is from years ago. I need to relate Users to GPO changes. The problem is that the GPO's EventCode=5136 only reports the distinguishedName (DN). So I exported a GPO_GUID_displayName.csv file with the following formats. GUID,displayName "CN={XXXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}CN=Policies,CN=System,DC=xx,DC=xx,DC=xxx,DC=com",Windows 10 CN={XXXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}*,Default Domain Policy CN={XXXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}CN=Policies,CN=System,DC=xx,DC=xx,DC=xxx,DC=com,DefaultDomainPolicy2 my search look like this index="wineventlog" Class=groupPolicyContainer GUID="CN={XXXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}" OR GUID="CN={XXXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}" source="WinEventLog:Security" | stats count by user,GUID,_time | lookup GPO_GUID_displayName.csv GUID output displayName | rename _time as Date | convert timeformat=%F ctime(Date) | table Date,user,GUID,displayName I get everything as expected but the mythical displayName that no matter what format I use seems to always be blank. I figured that the comas on the csv for the FQDN its messing up the file which is that I'm trying to make the wildcard work with the lookup or even if the quotation would. I have looked into this whole transforms thing from past post but I simply don't get it and I'm not totally sure how to access the file as I do everything thru the web GUI. any help its appreciated. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎12-01-2025 02:08 PM
Karma from
View All
Karma given to
View All