Splunk Search

How to edit my search to plot time ranges for hosts based on start/stop events?

Blu3fish
Path Finder

I'm trying to create a search that'll visualize when a network scan is being run against a particular target. To do this I'm extracting a start and stop time based on a target and unique job (since job #'s can be reused). I want there to be a solid representation of this scan window so I'm trying to mark a single event by linking the start/stop times to the unique target + job.

Sample start event:

[Mon Mar 20 21:15:45 2017][21243.5571392][JOB_NAME=f2cd71ab-fd0c-5d94-ae5f-b3974cd790ed-2383424/Chunk 101.][JOB_UUID=baff3d9a-4b13-cec6-d8b8-02b8307599c4b95da7ea96b5cb5d] user admin : testing 10.69.47.124 (10.69.47.124) [5571406] 

Sample stop event:

[Mon Mar 20 21:20:58 2017][21243.5571406][JOB_NAME=f2cd71ab-fd0c-5d94-ae5f-b3974cd790ed-2383424/Chunk 101.][JOB_UUID=baff3d9a-4b13-cec6-d8b8-02b8307599c4b95da7ea96b5cb5d] Finished testing 10.69.47.124. Time : 313.03 secs 

I'm able to achieve an approximation of the results I'm after using this search paired with an area chart, stack mode: not stacked, and connecting null values:

index=test sourcetype=testd testing
| rex field=_raw "user admin : testing (?\S+).*?\((?\S+)\).+?"
| eval target=coalesce(target_host,target_ip)
| rex field=_raw "Finished testing (?\S+).*? Time : (?\S+?)\s+"
| rex mode=sed field=target "s/\.$//g"
| search target=10.69.47.124
| stats c as "Scan Window" by _time, target
| xyseries _time,target,"Scan Window"

This works for short time ranges but if I broaden the time range to include additional times this host may have been scanned, the resulting chart displays the initial start time and the final stop time (essentially merging and displaying multiple scan windows into one).

I've been able to create a table showcasing the data I'm trying to visualize with a chart but I'm not sure what the next step would be:

index=test sourcetype=testd testing
| rex field=_raw "user admin : testing (?\S+).*?\((?\S+)\).+?"
| rex "^[^/\n]*/\w+\s+(?P\d+)"
| eval target=coalesce(target_host,target_ip)
| rex field=_raw "Finished testing (?\S+).*? Time : (?\S+?)\s+"
| rex mode=sed field=JOB_NAME "s/\/.*//g"
| rex mode=sed field=target "s/\.$//g"
| search target=10.69.47.124
| bin _time
| stats earliest(_time) as start, latest(_time) as stop by target,JOB_NAME,chunk 
| convert ctime(start) ctime(stop)
0 Karma
1 Solution

woodcock
Esteemed Legend

You just need to consider the JOB_UUID field, too, like this:

index=test sourcetype=testd testing
| rex "\[JOB_UUID=(?<JOB_UUID>[^\]]+)\]"
| rex "user admin : testing (?<target_host>\S+).*?\((?<target_ip>\S+)\).+?"
| eval target=coalesce(target_host,target_ip)
| rex "Finished testing (?<target>\S+).*? Time : (?<time>\S+?)\s+"
| rex mode=sed field=target "s/\.$//g"
| search target=10.69.47.124
| eval target=JOB_UUID . "/" target
| stats c as "Scan Window" by _time, target
| xyseries _time target "Scan Window"

View solution in original post

0 Karma

woodcock
Esteemed Legend

You just need to consider the JOB_UUID field, too, like this:

index=test sourcetype=testd testing
| rex "\[JOB_UUID=(?<JOB_UUID>[^\]]+)\]"
| rex "user admin : testing (?<target_host>\S+).*?\((?<target_ip>\S+)\).+?"
| eval target=coalesce(target_host,target_ip)
| rex "Finished testing (?<target>\S+).*? Time : (?<time>\S+?)\s+"
| rex mode=sed field=target "s/\.$//g"
| search target=10.69.47.124
| eval target=JOB_UUID . "/" target
| stats c as "Scan Window" by _time, target
| xyseries _time target "Scan Window"
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...