Splunk Search

Need help to run report

rebel2
New Member

I am trying to run a report where from my iis logs I want to pull request urls that have the keywords union and select in it and want to get the top source ip's that are generating these requests. My query below return the top ip's that generate requests with the keywords but its not displaying the actual requests that are indexed under the cs_uri_query field.

sourcetype=iis union select | top limit=20 c_ip | table cs_uri_query, c_ip

0 Karma

emiller42
Motivator

So see why it's behaving the way it does, back up a step in the search. Treat your splunk search just like the linux pipeline: The output from one command is the input for the next. So in your case, your table command is working with the output of the top command. What is the output of the top command? That's easy to see by removing everything after it:

sourcetype=iis union select | top limit=20 c_ip

When you run that, look at the output. More specifically, look at what's not there anymore: Your cs_uri_query field. Since it is not a part of the output of your top command, it's impossible for the table to display it. So this tells us that top might not be the best way to get the information you want. (at least, not directly)

Now, comes the hard question: What do you actually expect your output to be? Your question doesn't make this clear, so I'm going to assume you want all the requests from the top 20 IP's. If so, we're going to need to do some sub search magic:

sourcetype=iis union select [search sourcetype=iis union select | top limit=20 c_ip | table ip | format] | table cs_uri_query, c_ip

The magic here is in the sub search. (everything inside the []'s is it's own search) The sub search generates a list of your top 20 c_ips, and turns them into search parameters for the outer search. So what splunk actually sees is:

sourcetype=iis union select ( (c_ip="X.X.X.X") OR (c_ip="Y.Y.Y.Y") OR ... ) | ...

This will give you a table of every request from those specific IP's having either 'union' or 'select' in them.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...