Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why is my time wrongly mapped whenever I tabulate the results from transactions?

xnx_1012
Explorer
‎05-22-2020 12:09 AM

When I run this SPL, the transaction commands gives the correct output

index=* source=/var/log/secure* (TERM(sudo)  AND (TERM(adduser) OR TERM(chown) OR TERM(userdel) OR TERM(chmod) OR TERM(usermod) OR TERM(useradd))  AND COMMAND!="*egrep*") 
OR (TERM(sshd) AND "Accepted password" AND TERM(from) AND TERM(port))
| regex _raw != ".*bin\/grep|.*bin\/man|.*bin\/which|.*bin\/less|.*bin\/more" 
| rex field=_raw "(?<=sudo:)\s*(?P<Users>[[:alnum:]]\S*[[:alnum:]])\s*(?=\:).*(?<=COMMAND\=)(?P<command>.*)"
| rex field=_raw "(?<=for)\s*(?P<Users>[[:alnum:]]\S*[[:alnum:]])\s*(?=from).*(?<=from)\s*(?P<ip>[[:digit:]]+\.[[:digit:]]+\.[[:digit:]]+\.[[:digit:]]+)"
| eval "Command/Events" = replace(command,"^(\/bin\/|\/sbin\/)","")
| eval Time = if(match(_raw,"(?<=sudo:)\s*[[:alnum:]]\S*[[:alnum:]]\s*(?=\:).*(?<=COMMAND\=)*") ,strftime(_time, "%Y-%d-%m %H:%M:%S"),null())
| eval Date = strftime(_time, "%Y-%d-%m")
| eval "Report ID" = "ABLR-007"
| eval "Agency HF" = if(isnull(agencyhf),"",agencyhf)
| rename host as Hostname, index as Agency
| transaction Date Hostname Users Agency startswith="sshd"  maxevents=-1  keepevicted=true
| regex _raw = ".*sshd\:\n.*sudo\:|.*sudo\:"

Result:
alt text

Then when I tabulate the data using the SPL below, the time is wrong

index=* source=/var/log/secure* (TERM(sudo)  AND (TERM(adduser) OR TERM(chown) OR TERM(userdel) OR TERM(chmod) OR TERM(usermod) OR TERM(useradd))  AND COMMAND!="*egrep*") 
OR (TERM(sshd) AND "Accepted password" AND TERM(from) AND TERM(port))
| regex _raw != ".*bin\/grep|.*bin\/man|.*bin\/which|.*bin\/less|.*bin\/more" 
| rex field=_raw "(?<=sudo:)\s*(?P<Users>[[:alnum:]]\S*[[:alnum:]])\s*(?=\:).*(?<=COMMAND\=)(?P<command>.*)"
| rex field=_raw "(?<=for)\s*(?P<Users>[[:alnum:]]\S*[[:alnum:]])\s*(?=from).*(?<=from)\s*(?P<ip>[[:digit:]]+\.[[:digit:]]+\.[[:digit:]]+\.[[:digit:]]+)"
| eval "Command/Events" = replace(command,"^(\/bin\/|\/sbin\/)","")
| eval Time = if(match(_raw,"(?<=sudo:)\s*[[:alnum:]]\S*[[:alnum:]]\s*(?=\:).*(?<=COMMAND\=)*") ,strftime(_time, "%Y-%d-%m %H:%M:%S"),null())
| eval Date = strftime(_time, "%Y-%d-%m")
| eval "Report ID" = "ABLR-007"
| eval "Agency HF" = if(isnull(agencyhf),"",agencyhf)
| rename host as Hostname, index as Agency
| transaction Date Hostname Users Agency startswith="sshd"  maxevents=-1  keepevicted=true
| regex _raw = ".*sshd\:\n.*sudo\:|.*sudo\:"
| fields "Report ID" Time Agency Command/Events Hostname Users ip "Agency HF"
| rename ip as  "IP Address"
| eval multivalue_fields = mvzip(Time,'Command/Events')
| mvexpand multivalue_fields
| makemv multivalue_fields delim=","
| eval Time=mvindex(multivalue_fields , 0)
| eval "Command/Events"=mvindex(multivalue_fields , 1)
| table "Report ID" Time Agency Command/Events Hostname Users "IP Address" "Agency HF"

Result
alt text

** I also have tried using stats, yes I could combine the data with it. However, I can't use that as I would need to rely heavily on list(). the data sometimes exceeds 100 and the customer does not want me to touch limits.conf so I changed to transaction instead.

Preview file
42 KB
Preview file
106 KB
0 Karma
Reply

DalJeanis
Legend
‎05-26-2020 11:06 AM

Transaction creates multivalue fields, but they are not guaranteed to align as if they were produced by list. You are combining "Time" and "Command/Events", and the result is likely to be nonsense.

More importantly, transaction is resource-heavy and should be avoided in this context, where you plan to break the individual events right back out again.

Probably what you really need here is an initial collection of the events you want, then use eventstats and streamstats to group them and get the fields you are using transaction to get.

0 Karma
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...