Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to search the count of keywords for each individual event, not for all events?

adaam94
Explorer
‎11-25-2015 03:04 PM

How do I count the number of times keywords such as DROP, SELECT, FROM and WHERE appear for each event I have indexed? Looking at the HTTP header example I have, this is a single event. Is there an easy way to only count keywords from this as the searches I have used count all the keywords for all the events, but I only want a keyword count for each event. 

"24455","POST","http://localhost:8080/tienda1/publico/pagar.jsp","HTTP/1.1","Mozilla/5.0 (compatible; Konqueror/3.5; Linux) KHTML/3.5.8 (like Gecko)","no-cache","no-cache","text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5","x-gzip, x-deflate, gzip, deflate","utf-8, utf-8;q=0.5, *;q=0.5","en","localhost:8080","close","103","application/x-www-form-urlencoded","JSESSIONID=12546061FC0154DC98FEC5A70E87F6B4","B1='; DROP TABLE usuarios; SELECT * FROM datos WHERE nombre LIKE '%","anom"

So for this example the answer should be 4. any suggestions?

Thanks

0 Karma
Reply

adaam94
Explorer
‎11-26-2015 04:19 AM

index=* | regex payload="SELECT | UPDATE | INSERT | CREATE| ALTER | RENAME | WHERE | DROP"
| rex max_match=0 "(?SELECT | UPDATE | INSERT | CREATE |ALTER | RENAME | WHERE | DROP )"
| eval amount=mvcount(keywords)
| table payload, amount
| rename amount as "No. of Keywords"

0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎11-26-2015 05:13 AM

I ran it to test and made a few tweaks:

index=* | eval mystring="24455,POST,http://localhost:8080/tienda1/publico/pagar.jsp,HTTP/1.1,Mozilla/5.0 (compatible; Konqueror/3.5; Linux) KHTML/3.5.8 (like Gecko),no-cache,no-cache,text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,/;q=0.5,x-gzip, x-deflate, gzip, deflate,utf-8, utf-8;q=0.5, ;q=0.5,en,localhost:8080,close,103,application/x-www-form-urlencoded,JSESSIONID=12546061FC0154DC98FEC5A70E87F6B4,B1='; DROP TABLE usuarios; SELECT FROM datos WHERE nombre LIKE '%,anom"
| rex max_match=0 field=mystring "(?<keywords>SELECT|UPDATE|INSERT|CREATE|ALTER|RENAME|WHERE|DROP)"
| eval amount=mvcount(keywords)
| table mystring, keywords, amount
| rename amount as "No. of Keywords"

And that returns keywords of DROP, SELECT and WHERE and a count of 3.

For your data, you won't likely need a lot of that:

sourcetype=blah eventtype=bleh my base search here ... 
| rex max_match=0 field=mystring "(?<keywords>SELECT|UPDATE|INSERT|CREATE|ALTER|RENAME|WHERE|DROP)"
| eval number_of_keywords=mvcount(keywords)

Give that a try and report back here to adaam94 on how it worked!

0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎11-26-2015 04:55 AM

adaam94,

I converted your comment to an answer so hopefully it can be accepted!

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...