Hi guys, I want to make a table with list in it with Splunk and I really need some help!
I got a IPS to analyse and to see which source ips some certain attacks were from. When I get an ipA from attackA, I would like to how many times ipA did the attackA, which destiny ips are influnced and by how many times, and is there any other attacks ipA does.
Here is my search line:
index="security" attName="$some certain attack name$"
| stats count as c by src attName des
| stats sum(c) as total list(des) as desips list(c) as LC by src
| join src [ search index="security"
| stats values(attName) as otherAttack by src ]
| table src total desips LC otherAttack
| sort -total
The table I expect to get is like:
src total desips LC otherAttack
14.18.240.6 18 172.25.118.53 1 Adobe Reader And Acrobat Privilege Escalation Vulnerability
172.26.67.198 5 Microsoft Windows HTTP Services Integer Underflow Vulnerability
172.26.68.201 8
172.26.69.46 2
172.26.71.193 2
14.18.256.74 6 172.25.118.43 1 Adobe Reader And Acrobat Privilege Escalation Vulnerability
172.26.68.208 2
172.26.71.193 3
But what I really got was like:
src total desips LC otherAttack
14.18.240.6 18 172.25.118.53 1 Adobe Reader And Acrobat Privilege Escalation Vulnerability Microsoft Windows HTTP Services Integer Underflow Vulnerability
172.26.67.198 5
172.26.68.201 8
172.26.69.46 2
172.26.71.193 2
14.18.256.74 6 172.25.118.43 1 Adobe Reader And Acrobat Privilege Escalation Vulnerability
172.26.68.208 2
172.26.71.193 3
I found that if I put values/list in a subsearch, the values of the field values/list will be all put in one row. I tried "| stats delim="/n" values(attName) as otherAttack by src" and didn't work. How can we separate them in different lines in one cell?
index="security"
| eventstats values(attName) as att by src
| where attName="$some certain attack name$"
| stats count as c by src attName des att
| stats values(att) as atts by src attName des c
| stats sum(c) as total list(des) as desips list(c) as LC values(atts) as otherAttack by src
| table src total desips LC otherAttack
| sort -total
Solved by this search line without using "join".
index="security"
| eventstats values(attName) as att by src
| where attName="$some certain attack name$"
| stats count as c by src attName des att
| stats values(att) as atts by src attName des c
| stats sum(c) as total list(des) as desips list(c) as LC values(atts) as otherAttack by src
| table src total desips LC otherAttack
| sort -total
Solved by this search line without using "join".
Try this
index="security" attName="$some certain attack name$"
| stats count as c by src attName des
| stats sum(c) as total list(des) as desips list(c) as LC by src
| join src [ search index="security"
| eval attName="<Delimit>"+attName
| stats values(attName) as otherAttack by src ]
| eval otherAttack=split(otherAttack,"<Delimit>")
| table src total desips LC otherAttack
| sort -total
※”Delimit”, please replace any character.
Thank you for your reply. The result of this search line is pretty interesting because some of them are separated while some of them aren't. I have no idea how this happens but still thank you!
I see. "Delimit" cannot be replaced by ";", but "!","+","-",","and"."works!
Can anybody help please?
Give this a stry
index="security" attName="$some certain attack name$"
| stats count as c by src attName des
| stats sum(c) as total list(des) as desips list(c) as LC by src
| join src [ search index="security"
| stats values(attName) as otherAttack by src ]
| stats values(*) as * by src | table src total desips LC otherAttack | sort -total
Thank you for your reply but it doesn't work. The otherAttack column remains the same and some values of LC column gone.
Try this:
index="security" attName="$some certain attack name$" | stats count as c by src attName des | stats sum(c) as total list(des) as desips list(c) as LC by src | join src [ search index="security" | stats values(attName) as otherAttack by src | mvexpand otherAttack ] | table src total desips LC otherAttack | sort -total
Thank you for your reply but it doesn't work. "Microsoft Windows HTTP Services Integer Underflow Vulnerability" just disappeared.