Solved: Filtering Log Results

seaed_ac · ‎09-29-2015

Hello everyone

I hope you guys can help me with this.
How can I filter the results of the following log entry example:

1   »  9/29/15
4:29:38.391 AM  
usn="50356463" time_stamp="2015-09-29 04:29:38.391 UTC" host_name="host" vapi_name="File Write" begin_time="2015-09-19 06:06:47.953 UTC" end_time="2015-09-19 06:06:47.953 UTC" caller_process_id="632" caller_process_name="C:/Windows/explorer.exe" parameter="E:/Sep.2015/Sicher_R5.pdf" user_name="user" ip_addr="192.168.2.107" file_size="0" param_device_id="USBSTOR\Disk&Ven_PI-239&Prod_USB_2.0_Drive&Rev_1.08\533237584A39414232303131&0"

I need to have a report that tells me a number of files copied while excluding:
- duplicated "parameter field"
- file size > 0
- exclude vapi_name="File Delete"

Can this be accomplished in a single report?

Thank s in advance

MuS · ‎09-29-2015

Hi seaed_ac,

you can run this search, which does what you want:

your base search here file_size>0 NOT vapi_name="File Delete" | timechart dc(parameter)

this will exclude vapi_name="File Delete" and fiel sizes of 0, finally it does a distinct count on parameter

Update:

This is the final search:

index=infosec sourcetype=sep_usb_logs file_size>0 NOT vapi_name="File Delete" | timechart dc(parameter) by user_name usenull=f useother=f

Hope this helps ...

cheers, MuS

View solution in original post

MuS · ‎09-29-2015

Hi seaed_ac,

you can run this search, which does what you want:

your base search here file_size>0 NOT vapi_name="File Delete" | timechart dc(parameter)

this will exclude vapi_name="File Delete" and fiel sizes of 0, finally it does a distinct count on parameter

Update:

This is the final search:

index=infosec sourcetype=sep_usb_logs file_size>0 NOT vapi_name="File Delete" | timechart dc(parameter) by user_name usenull=f useother=f

Hope this helps ...

cheers, MuS

seaed_ac · ‎09-29-2015

Hi there
Thank you for your answer
I do receive an error when running the search:
Error in 'file' command: This command must be the first command of a search.

My base search is:
index=infosec sourcetype=sep_usb_logs

What am I typing wrong?

MuS · ‎09-29-2015

run it like this:

index=infosec sourcetype=sep_usb_logs file_size>0 NOT vapi_name="File Delete" | timechart dc(parameter)

seaed_ac · ‎09-29-2015

That looks much better
Is it possible to list the final results by user_name?

If is not too much to ask. I am not a programmer

MuS · ‎09-29-2015

me neither 😉
Yes of course :

index=infosec sourcetype=sep_usb_logs file_size>0 NOT vapi_name="File Delete" | timechart dc(parameter) by user_name

seaed_ac · ‎09-29-2015

It shows a user_name "other" but when I click on the column SPlunk shows no data.
Any ideas?

MuS · ‎09-29-2015

next one:

index=infosec sourcetype=sep_usb_logs file_size>0 NOT vapi_name="File Delete" | timechart dc(parameter) by user_name usenull=f useother=f

and read about the timechart command here http://docs.splunk.com/Documentation/Splunk/6.3.0/SearchReference/Timechart

seaed_ac · ‎09-29-2015

I forgot to mentioned that as an average we could have about 13K logs within 24 hours

seaed_ac · ‎09-29-2015

It worked.
I have no idea from where do the user_name Other came from but I run a test and the numbers from the report match the logs.
Thank you very much for all your help and patience

Regards

Filtering Log Results

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!