Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can you do a data model search based on tstats and macros?

david_casey
Path Finder
‎08-06-2018 06:53 AM

Can you do a data model search based on a macro? Trying but Splunk is not liking it. It yells about the wildcards *, or returns no data depending on different syntax.

Base data model search:

| tstats summariesonly count FROM datamodel=Web.Web BY Web.url, Web.client_ip

The macro (coinminers_url) contains url patterns as follows:

"0aqpqdju.me" OR "0x1f4b0.com" OR "12finance.com" OR "1480876790.rsc.cdn77.org" OR "1beb2a44.space" OR "1q2w3.fun" OR "1q2w3.me"

The objective is to cross reference the macro for any matches in the Web data model and display the date/time and internal client IP that hit one (or more) matches from the macro list. These will be the clients that hit a known coinminer domain, which we maintain a list of based on a GitHub repo list. That list is quite large so a traditional search can take quite a while.

Suggestions?

0 Karma
Reply

DalJeanis
Legend
‎08-06-2018 07:24 AM

You can build a macro that will use the WHERE fieldname IN ("list","of","values") format. Per the docs, the below format should work with wildcards in the macro. https://docs.splunk.com/Documentation/Splunk/7.1.2/SearchReference/ConditionalFunctions

First try this with 3 values and see if it works...

 | tstats summariesonly count FROM datamodel=Web.Web BY Web.url, Web.client_ip 
    where Web.url IN ("0aqpqdju.me", "0x1f4b0.com",...)

If it works, then just build a macro that resolves to that whole second line.

... if you can't get the above working, then try this, but it will not work with wildcards... 

 | tstats summariesonly count FROM datamodel=Web.Web BY Web.url, Web.client_ip 
 | where in(Web.url ,"0aqpqdju.me", "0x1f4b0.com",...)
0 Karma
Reply

david_casey
Path Finder
‎08-06-2018 08:03 AM

Thanks D... No go unfortunately.

| tstats summariesonly count FROM datamodel=Web.Web BY Web.url, Web.client_ip where Web.url IN ("0aqpqdju.me", "0x1f4b0.com",...)

Error: Error in 'TsidxStats': Wildcards (*) are not supported in groupby fields

(FYI - The wildcards are being stripped in the above query when posted here.)

As to the second option it won't work. It has to contain the wildcards since the url can vary wildly.

Seems like this should be a simple pattern matching search against the DM.

Someone suggested using macros.conf and transforms.conf in another channel. Will give that a try.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...