Hi. Currently, I receive my Linux logs in an index called linux_logs and a syslog sourcetype. I would like to change the syslog sourcetype to the linux_secure sourcetype. How can I make that change so that the new logs already arrive in the new sourcetype? My configuration   Sourcetype syslog Sourcetype linux_secure   Thanks!     ... View more

Hi splunkers  Why when I do the following query if it gives me the correct data   Query | inputlookup append=t mitre_lookup | foreach TA00* [ | lookup mitre_tt_lookup technique_id as <<FIELD>> OUTPUT technique_name as <<FIELD>>_technique_name | eval <<FIELD>>_technique_name=mvindex(<<FIELD>>_technique_name, 0) ] | eval codes_tech = "T1548, T1134,T1547" | makemv delim=", " codes_tech | eval TA0004 = if(mvfind(codes_tech, TA0004) > -1, TA0004." Es aqui", TA0004) Result:   But when the data comes from a stats result it doesn't search for the values:   Query: index=notable search_name="Endpoint - KTH*" |fields technique_mitre |stats count by technique_mitre |eval tech_id=technique_mitre |rex field=tech_id "^(?<codes_tech>[^\.]+)" |stats count by codes_tech |makemv delim=", " codes_tech |mvexpand codes_tech |stats count by codes_tech | inputlookup append=t mitre_lookup | foreach TA00* [ | lookup mitre_tt_lookup technique_id as <<FIELD>> OUTPUT technique_name as <<FIELD>>_technique_name | eval <<FIELD>>_technique_name=mvindex(<<FIELD>>_technique_name, 0) ] | eval codes_tech = codes_tech | eval TA0004 = if(mvfind(codes_tech, TA0004) > -1, TA0004." Es aqui", TA0004) Result: I would really appreciate your support ... View more

Hi Splunkers. I've been trying for weeks to do the following: I have a search that outputs a table with MITRE techniques as shown below: Query index=notable search_name="Endpoint - KTH*" | fields tactic_mitre, technique_mitre, risk_mitre, src_user, user, Computer, dest, search_name | stats count by technique_mitre |eval codes_tech=technique_mitre |makemv delim=", " codes_tech |mvexpand codes_tech |rename count as carry |stats sum(carry) as Total by codes_tech Result And I have another query that brings me a table with the IDs and names of the Techniques and tactics of MITRE Query | inputlookup mitre_lookup | foreach TA00* [| lookup mitre_tt_lookup technique_id as <<FIELD>> OUTPUT technique_name as <<FIELD>>_technique_name | eval <<FIELD>>_technique_name=mvindex(<<FIELD>>_technique_name, 0) | eval <<FIELD>>=<<FIELD>>_technique_name . " - " . <<FIELD>>] | fields TA0043,TA0001, TA0002, TA0003, TA0004, TA0005, TA0006, TA0007, TA0008, TA0009, TA0011, TA0010, TA0040, TA0042 | rename TA0043 as "Reconnaissance", TA0042 as "Resource Development", TA0001 as "Initial Access", TA0002 as "Execution", TA0003 as "Persistence", TA0004 as "Privilege Escalation", TA0005 as "Defense Evasion", TA0006 as "Credential Access", TA0007 as "Discovery", TA0008 as "Lateral Movement", TA0009 as "Collection", TA0011 as "Command and Control", TA0010 as "Exfiltration", TA0040 as "Impact" Result   I would like to search within the MITRE table for the codes_tech of the first query and if Total is greater than 0 I would put the Total and otherwise leave the other IDs at 0 Please, I really need your help, please, please, please... ... View more

Hello. I have three lists of names of different technologies, I would like to put the technologies in a menu or multiselect so that when I select each technology it brings me the names of each one that is selected, for example:   My list is:   My multiselect input is:   When selecting each option, I would like it to show me all the users like the following table: try doing the following | makeresults |eval input = "$ms_Be1Voild$" //This is the token of my multiselect input |eval array = mvjoin(input, ",") |fields array But the result is the following: Active Directory,o365,Windows Could anyone help me please.     ... View more

Hi! I would like to separate the field Privilegio   |---------------------------|-------------------------------------------------------------------------------------------|-------------| |   src_user                      |      Privilegio                                                                                                                     |   count      | |---------------------------|-------------------------------------------------------------------------------------------|-------------| |   user-RAC0308$      | SeSecurityPrivilege                                                                                                      |    8127     | |                                          |                                          SeBackupPrivilege                                                               |                    | |                                          |                                          SeRestorePrivilege                                                               |                    | |                                          |                                          SeTakeOwnershipPrivilege                                               |                    | |                                          |                                          SeDebugPrivilege                                                                  |                    | |                                          |                                          SeSystemEnvironmentPrivilege                                      |                    | |                                          |                                          SeLoadDriverPrivilege                                                         |                    | |                                          |                                          SeImpersonatePrivilege                                                      |                    | |                                          |                                          SeDelegateSessionUserImpersonatePrivilege          |                    | |                                          |                                          SeEnableDelegationPrivilege                                            |                    | |                                          |                                          SeCreateTokenPrivilege                                                      |                    | |                                          |                                          SeAssignPrimaryTokenPrivilege                                      |                     | |---------------------------|--------------------------------------------------------------------------------------------|--------------|   Since it only counts the first value and the others are put with a tab, they are the windows privileges of the EventID 4672,  my query is the following: index=oswinsec EventCode=4672 | stats values(PrivilegeList) as Privilegio count by src_user   ... View more