Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About Habanero
Habanero
Explorer
Member since:
02-05-2021
07-05-2022
Community Statistics
| Posts | 8 |
| Solutions | 1 |
| Karma Given | 6 |
| Karma Received | 0 |
| Member Since | 02-05-2021 |
Activity Feed
- Karma Re: Transforms conf to reroute logs to different index. for gcusello. 07-05-2022 07:13 AM
- Posted Re: Transforms conf to reroute logs to different index. on Getting Data In. 07-05-2022 07:12 AM
- Karma Re: Transforms conf to reroute logs to different index. for gcusello. 07-05-2022 07:12 AM
- Posted Re: Transforms conf to reroute logs to different index. on Getting Data In. 07-05-2022 06:46 AM
- Posted Transforms.conf to reroute logs to different index. on Getting Data In. 07-05-2022 06:13 AM
- Karma Re: Correlation of two searches for ericjorgensenjr. 04-13-2021 05:27 AM
- Karma Re: Correlation of two searches for gcusello. 04-13-2021 05:26 AM
- Posted Re: Correlation of two searches on Splunk Search. 04-12-2021 10:52 AM
- Posted Correlation of two searches on Splunk Search. 04-12-2021 08:59 AM
- Karma Re: Show triggered events from last 5 minutes from a 2 hour moving average for richgalloway. 02-09-2021 05:02 AM
- Posted Re: Show triggered events from last 5 minutes from a 2 hour moving average on Splunk Search. 02-05-2021 10:41 AM
- Posted Re: Show triggered events from last 5 minutes from a 2 hour moving average on Splunk Search. 02-05-2021 10:39 AM
- Posted Show triggered events from last 5 minutes from a 2 hour moving average on Splunk Search. 02-05-2021 07:02 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 |
07-05-2022
07:12 AM
I see thank you for clarifying that. I am please to report that it is finally working. I suspect the biggest problem was the value inside the [] in my props.conf that was the problem. For anyone that stumble upon this post in the feature Here's the working config: props.conf: [vmw-syslog]
TRANSFORMS-include = reroute_to_indexA transforms.conf: [reroute_to_indexA]
REGEX = 2300-
DEST_KEY = _MetaData:Index
FORMAT = index-a Thank you for your help @gcusello!
... View more
07-05-2022
06:46 AM
Hello @gcusello Thank you the the quick reply 🙂 Yes, ingestion is done on the same HF. We only have one in our environment. As per our Search Heads the sourcetype is classified as "vmw-syslog". The index is "vmware" To expand on your second point, I though what was put between the square brackets (stanza?) could define either a index or a sourcetype [vmware] or [vmware:vmw-syslog] In any case, I have modified the value inside the square brackets for the props, and followed your suggestion for the transforms.conf. Unfortunately, It is not a log source that is super noisy. I will report back once data comes in. Thank you,
... View more
07-05-2022
06:13 AM
Hello community, I am trying to "reroute" specific logs (based on Regex match) to a different index. This is done on the heavy-forwarder. It is ingested via syslog. Both props and transform are in the correct folder where syslogs events are ingested. I have created a ruleset in props.conf: [vmware]
TRANSFORMS-include = reroute_to_indexA And here is the config from transform.conf: [reroute_to_indexA]
SOURCE_KEY = _raw
REGEX = ^.*2300-.*$
DEST_KEY = _MetaData:Index
FORMAT = index-a Last but not least here is a sample of the logs I am working with: Jul 5 09:02:11 10.32.37.214 1 2022-07-05T09:02:11.339-04:00 2300-RDSH-1-2 View - 1009 [View@6876 Severity="INFO" Module="Agent" EventType="AGENT_DISCONNECTED" UserSID="omitted" UserDisplayName="omitted" PoolId="2300-rdsh-farm1" MachineId="omitted" MachineName="2300-RDSH-1-2" MachineDnsName="2300-rdsh-1-2" CurrentSessionLength="180" TotalLoginLength="180" SessionType="APPLICATION"] User omitted has disconnected from machine 2300-RDSH-1-2 At this point I would have expected to see the logs being written to index-a. What have I done so far as troubleshooting: Remove SOURCE_KEY Replace SOURCE_KEY = _raw with field:MachineDnsName Replace SOURCE_KEY = _raw with fields:MachineDnsName Substituted the REGEX for .*2300.* and .*2300-.* Nothing have helped so far; any help or pointers would be greatly appreciated. Thank you,
... View more
Labels
04-12-2021
10:52 AM
Thank you @gcusello for the prompt reply. It cleared up some questions in regards to the limitation. One of the issues are the fact that both index does not have the same name field. For instance this is the SPL for my first search. index=estreamer src_ip!="10.0.0.0/8" src_ip!="192.168.0.0/24" src_ip!=172.16.0.0/12 (app_proto="TeamViewer" app_proto="FTP" OR app_proto="FTP Data" OR app_proto="Telnet" OR app_proto="RDP" OR app_proto="SSH" OR dest_port="3389" OR dest_port="23" OR dest_port="22") fw_rule_action="Allow" The event of interest I am seeking are IP addresses that were allowed by the firewall and opened connection on our Windows servers (EventCode 5154/5156) Our firewall uses the field name `src_ip` and Windows Event are `Source_Address` If I understand I would have to rename the field to be able to search against our Windows Index | rename src_ip as Source_Address
... View more
04-12-2021
08:59 AM
Good day Community, I would like to know what is the best approach to filters events based on previous query. My precisely here is my scenario: I am attempting to correlate our firewall logs against Windows Event Log 5156 / 5154 which is the local firewall that allowed a connection. I am not sure if a multi-search is the best approach, or using append vs join vs subsearch. Did anyone ever crafted a SPL similar to the one describe above, or can provide some insight into the best method to achieve the results wanted. Thank you,
... View more
02-05-2021
10:41 AM
I was able to figure out a solution to my problem. Here is the complete query: base_search earliest=-121m@m latest=-1m@m | bin _time span=2m | stats count by _time
| streamstats avg("count") as avg stdev("count") as stdev
| eval upperBound=(avg+stdev*exact(1))
| eval isOutlier=if('count' < lowerBound OR 'count' > upperBound, 1, 0)
| eval avg=round(avg,0) | eval upperBound=round(upperBound,0)
| eval last_three_mins=relative_time(now(), "-3m@m")
| search "isOutlier"=1
| where _time >= last_three_mins
| rename count as "Events" upperBound as "Upper Limit" isOutlier as "Is Outlier" avg as "Average"
| fields _time, "Events", "Average", "Upper Limit", "Is Outlier" Thanks to everyone who helped.
... View more
02-05-2021
10:39 AM
Thanks for replying, although your search gives me this error: Error in 'where' command: Type checking failed. The '==' operator received different types
... View more
02-05-2021
07:02 AM
Good day, We are looking at a solution to alert us on abnormal traffic spike. We have leverage the standard deviation, and `streamstats` for the moving average. We are "graphing" for the last 2 hours. Last but not least, there is a cron job running every 2 minutes. Below is the query: base_search earliest=-121m@m latest=-1m@m | bin _time span=2m | stats count by _time
| streamstats avg("count") AS avg stdev("count") AS stdev
| eval upperBound=(avg+stdev*exact(2))
| eval isOutlier=if('count' < lowerBound OR 'count' > upperBound, 1, 0)
| eval avg=round(avg,0) | eval upperBound=round(upperBound,0) | rename count as "Events" upperBound AS"Upper Limit" isOutlier AS"Is Outlier" avg AS "Average"
| fields _time, "Events", "Average", "Upper Limit", "Is Outlier"
| search "Is Outlier"=1 The problem I am encountering is once there is a "Outlier" it will remain in the table for the next 2 hours. i.e. Outlier a 7:31am on the next schedule run at 7:32am it will trigger. But the entry will still show up at 7:34am, 7:36am, and so forth. I tried using the following arguments but it doesn't work. | search "Is Outlier"=1 earliest=-2m@m latest=now() Does anyone has any idea how I can have the alerts show the last two minutes, but retaining the 2 hours moving average? Thank you in advance!
... View more
Labels
- Labels:
-
eval
-
fields
-
other
-
search job inspector
-
subsearch
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
07-05-2022
10:33 AM
|
