Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Query Question

colraj
New Member
‎08-16-2020 10:25 PM

Hello Team,

Can someone help me with creating a query to report if there are multiple blocked requests from a single IP? Please find the sample alert below.

Please email me @colwinrebeiro.rajendran@hidglobal.com.

 

action

httpSourceId

webaclId

httpRequest.uri

httpRequest.clientIp

ruleGroupList{}.terminatingRule.ruleId

terminatingRuleType

terminatingRuleId

BLOCK555662058394-app/ALB-EXT-ORIGO-API-CERT/611b0867bb7ac42carn:aws:wafv2:us-east-1:555662058394:regional/webacl/WEBACL-ALB-EXT-ORIGO-API-CERT/b83fd96e-c7ae-4c20-93cb-4a2b1404e57e/185.185.41.193 REGULARDefault_Action

 

Regards

Colwin 

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-17-2020 12:43 AM

Hic @colraj,

you have to extract the fields you need (action and httpRequest_clientIp) and use the stats count command, something like this:

 

| makeresults
| eval _raw="2020-08-17 10:22:56 BLOCK 555662058394-app/ALB-EXT-ORIGO-API-CERT/611b0867bb7ac42c	arn:aws:wafv2:us-east-1:555662058394:regional/webacl/WEBACL-ALB-EXT-ORIGO-API-CERT/b83fd96e-c7ae-4c20-93cb-4a2b1404e57e / 185.185.41.193 REGULAR Default_Action"
| rex "\d+-\d+-\d+\s+\d+:\d+:\d+\s(?<action>\w+).*\s+(?<httpRequest_clientIp>\d+\.\d+\.\d+\.\d+)\s"
| search action="BLOCK"
| stats count BY httpRequest_clientIp
| where count > 0

 

In your real situation, you have to modify the regex because I don't know if the time stamp at the beginning of the event really has  this format in your events (it wasn't in the example and I supposed "2020-08-17 10:22:56".

Anyway, the approach is:

  • run your main search,
  • extract the fields "action" and "httpRequest_clientIp" using regexes,
  • filter for action="BLOCK",
  • count the occurrencies for each httpRequest_clientIp,
  • put a threeshold (0 in this example) to take only counts greater than the threeshold.

if you share an example of your logs I could be more precise in the regex.

Ciao.

Giuseppe

0 Karma
Reply

colraj
New Member
‎08-17-2020 01:45 AM

Hello Sir, 

 

Thanks for the response. But since I am new to to splunk. I am not sure what information(logs) do you actually need. If you are fine, we can do a screen sharing session so that you can understand or please let me know where i can find this log information for this particular task.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-18-2020 12:49 AM

Hi @colraj,

remember that in a Splunk job 70% is the knowledge of the technology you're working, 30% is how to use this knowledge in Splunk.

This means that the problem isn't in your Splunk knowledge: you have to know very well the logs you're analyzing: knowing the fields, the error messages, etc...

When you have a clear idea of what there's in your logs and what you need to extract and find, then you can approach Splunk to build and run the search.

So, start from the logs you have, then analyze them finding the useful informations, then identify what are the conditions to find.

Without these informations it isn't possible to create and run a Splunk search.

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...

Stay Connected: Your Guide to February Tech Talks, Office Hours, and Webinars!

&#x1f48c;Keep the new year’s momentum going with our February lineup of Community Office Hours, Tech Talks, ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...