Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About rip_leroi
rip_leroi
Explorer
Member since:
10-10-2018
03-02-2022
Community Statistics
| Posts | 7 |
| Solutions | 0 |
| Karma Given | 2 |
| Karma Received | 0 |
| Member Since | 10-10-2018 |
Activity Feed
- Posted How to pass a user ID to a new query? on Splunk Search. 03-01-2022 01:28 PM
- Karma Re: Using lookup table for whitelisting CIDR ranges in SPL and getting zero results for HiroshiSatoh. 06-05-2020 12:50 AM
- Karma Re: How come my macro data isn't refreshing in new searches? for pkeenan87. 06-05-2020 12:50 AM
- Posted Re: How come my macro data isn't refreshing in new searches? on Knowledge Management. 03-07-2019 07:45 AM
- Posted How come my macro data isn't refreshing in new searches? on Knowledge Management. 03-05-2019 07:32 AM
- Tagged How come my macro data isn't refreshing in new searches? on Knowledge Management. 03-05-2019 07:32 AM
- Tagged How come my macro data isn't refreshing in new searches? on Knowledge Management. 03-05-2019 07:32 AM
- Posted Re: Using lookup table for whitelisting CIDR ranges in SPL and getting zero results on Getting Data In. 03-04-2019 08:28 AM
- Posted Re: Using lookup table for whitelisting CIDR ranges in SPL and getting zero results on Getting Data In. 03-01-2019 02:25 PM
- Posted Re: Using lookup table for whitelisting CIDR ranges in SPL and getting zero results on Getting Data In. 03-01-2019 02:24 PM
- Posted Using lookup table for whitelisting CIDR ranges in SPL and getting zero results on Getting Data In. 02-28-2019 11:46 AM
- Tagged Using lookup table for whitelisting CIDR ranges in SPL and getting zero results on Getting Data In. 02-28-2019 11:46 AM
- Tagged Using lookup table for whitelisting CIDR ranges in SPL and getting zero results on Getting Data In. 02-28-2019 11:46 AM
- Tagged Using lookup table for whitelisting CIDR ranges in SPL and getting zero results on Getting Data In. 02-28-2019 11:46 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 |
03-01-2022
01:28 PM
I'm attempting to build a search around Okta authentication logs. I want to run a query to check for any Multi factor update/change, collect the user ID and pass that to another search where I see the geolocation data where the User has authenticated previously over a specific time span. Essentially, I'm trying to build a search to see if a user that requested an MFA change is doing it from a different geolocation than they normally authenticate from. The query below shows all users that have have a MFA change with their corresponding geolocation data. Is there a way to pass the user ID(s) to a different search where I can look at 7 days worth of their authentication activity to see if the geolocation matches? I've researched sub-searches but that doesn't work because I need the user ID first but the subsearch runs first and I don't have the user ID yet. I looked at map which seems like it's the best solution, but there a lot of warnings about it being resource intensive. If anyone can point me in the right direction, it would be very much appreciated. index=okta eventType="user.mfa.factor.update" | stats values(actor.id), values(client.geographicalContext.State)
... View more
03-07-2019
07:45 AM
This did the trick. Thank you very much.
... View more
03-05-2019
07:32 AM
I have a macro that I created and have since added additional data to it. However, when I search the new data does not show up. I did CTRL+SHIFT+E on the macro in the search window, and it doesn't reflect the new data I added. However, I see all the data I added when I go to the macro settings.
Is there a way to refresh a macro to include the new data?
... View more
03-04-2019
08:28 AM
You were correct. I removed the NOT Cisco_ASA_action=teardown NOT transport=icmp and started seeing results. Apparently, my whitelist excluded every alert and there were no other matching record. I appreciate you taking the time to help.
... View more
03-01-2019
02:25 PM
This doesn't return any results but thank you for the suggestion.
... View more
03-01-2019
02:24 PM
I appreciate the comment. This returns all results including the CIDR ranges that I'm looking to exclude.
... View more
02-28-2019
11:46 AM
I'm brand new to Splunk and I'm having difficulty getting a query to return the results I'm looking for. I've checked the knowledge base and I see references to using transforms.conf and props.conf, but I'm in an Enterprise environment, and I don't have access to change those files.
I have a .csv lookup I've created that contains a column for CIDR ranges and a column to indicate whether the CIDR range should be whitelisted from search results. I'm trying run a query for any SMB that is incoming from the internet. My query is listed below.
index=netfw sourcetype=cisco:asa dest_port=445 NOT Cisco_ASA_action=teardown NOT transport=icmp
| lookup smbwhitelist.csv dest_ip OUTPUTNEW iswhitelist as whitelist
| search NOT whitelist IN ("yes")
This returns all traffic including all the CIDR ranges that I'm trying to whitelist and exclude from the search results. If I remove the NOT from the search, then I receive no results. However, if I manually paste in the CIDR ranges I get results, so I'm missing something.
Any pointers in the right direction would be greatly appreciated.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
03-02-2022
06:07 PM
|
