Splunk Search

Problem with values/list in subsearch

LuiesCui
Communicator

Hi guys, I want to make a table with list in it with Splunk and I really need some help!
I got a IPS to analyse and to see which source ips some certain attacks were from. When I get an ipA from attackA, I would like to how many times ipA did the attackA, which destiny ips are influnced and by how many times, and is there any other attacks ipA does.
Here is my search line:

index="security" attName="$some certain attack name$"             
| stats count as c by src attName des     
| stats sum(c) as total list(des) as desips list(c) as LC by src
| join src [ search index="security"   
| stats values(attName) as otherAttack by src ]
| table src total desips LC otherAttack  
| sort -total

The table I expect to get is like:

     src    total    desips     LC   otherAttack
14.18.240.6   18  172.25.118.53  1  Adobe Reader And Acrobat Privilege Escalation Vulnerability
                  172.26.67.198  5  Microsoft Windows HTTP Services Integer Underflow Vulnerability
                  172.26.68.201  8
                  172.26.69.46   2
                  172.26.71.193  2

14.18.256.74  6   172.25.118.43  1  Adobe Reader And Acrobat Privilege Escalation Vulnerability
                  172.26.68.208  2
                  172.26.71.193  3

But what I really got was like:

     src    total    desips     LC   otherAttack
14.18.240.6   18  172.25.118.53  1  Adobe Reader And Acrobat Privilege Escalation Vulnerability Microsoft Windows HTTP Services Integer Underflow Vulnerability
                  172.26.67.198  5       
                  172.26.68.201  8
                  172.26.69.46   2
                  172.26.71.193  2

14.18.256.74  6   172.25.118.43  1  Adobe Reader And Acrobat Privilege Escalation Vulnerability
                  172.26.68.208  2
                  172.26.71.193  3

I found that if I put values/list in a subsearch, the values of the field values/list will be all put in one row. I tried "| stats delim="/n" values(attName) as otherAttack by src" and didn't work. How can we separate them in different lines in one cell?

Tags (3)
0 Karma
1 Solution

LuiesCui
Communicator
index="security" 
| eventstats values(attName) as att by src
| where attName="$some certain attack name$"
| stats count as c by src attName des att
| stats values(att) as atts by src attName des c
| stats sum(c) as total list(des) as desips  list(c) as LC values(atts) as otherAttack by src
| table src total desips LC otherAttack  
| sort -total

Solved by this search line without using "join".

View solution in original post

0 Karma

LuiesCui
Communicator
index="security" 
| eventstats values(attName) as att by src
| where attName="$some certain attack name$"
| stats count as c by src attName des att
| stats values(att) as atts by src attName des c
| stats sum(c) as total list(des) as desips  list(c) as LC values(atts) as otherAttack by src
| table src total desips LC otherAttack  
| sort -total

Solved by this search line without using "join".

0 Karma

HiroshiSatoh
Champion

Try this

index="security" attName="$some certain attack name$"             
 | stats count as c by src attName des     
 | stats sum(c) as total list(des) as desips list(c) as LC by src
 | join src [ search index="security" 
 | eval attName="<Delimit>"+attName
 | stats values(attName) as otherAttack by src ]
 | eval otherAttack=split(otherAttack,"<Delimit>")
 | table src total desips LC otherAttack  
 | sort -total

※”Delimit”, please replace any character.

0 Karma

LuiesCui
Communicator

Thank you for your reply. The result of this search line is pretty interesting because some of them are separated while some of them aren't. I have no idea how this happens but still thank you!

0 Karma

LuiesCui
Communicator

I see. "Delimit" cannot be replaced by ";", but "!","+","-",","and"."works!

0 Karma

LuiesCui
Communicator

Can anybody help please?

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Give this a stry

index="security" attName="$some certain attack name$"             
 | stats count as c by src attName des     
 | stats sum(c) as total list(des) as desips list(c) as LC by src
 | join src [ search index="security"   
 | stats values(attName) as otherAttack by src ]
| stats values(*) as * by src | table src total desips LC otherAttack | sort -total
0 Karma

LuiesCui
Communicator

Thank you for your reply but it doesn't work. The otherAttack column remains the same and some values of LC column gone.

0 Karma

woodcock
Esteemed Legend

Try this:

index="security" attName="$some certain attack name$" | stats count as c by src attName des | stats sum(c) as total list(des) as desips list(c) as LC by src | join src [ search index="security" | stats values(attName) as otherAttack by src | mvexpand otherAttack ] | table src total desips LC otherAttack | sort -total
0 Karma

LuiesCui
Communicator

Thank you for your reply but it doesn't work. "Microsoft Windows HTTP Services Integer Underflow Vulnerability" just disappeared.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...