I am trying to run a search that shows executibles that are run by any user on my network. Yet I want to exclude the search with typically run service .exe's and assocuated service user accounts. I have searched throughout the Splunk website and have done a fair amount of googling on how this can be done but had no success in my search. I have added what I have been trying to achieve below.
Can anyone help me figure out how to achieve this?
*.exe NOT ("Specific-Service-Account") NOT ("Specific-Service-Account1") NOT ("dsmod.exe") NOT $ NOT [| inputlookup ExclusionList.csv | ("User_Name") OR ("Image_File_Name")] | stats count by User_Name, Image_File_Name, host | sort count desc
You can add a flag to your lookup to tell the next part of the pipeline what to do.
e.g.
file.csv:
thing, exclude
some_user,1
other_user,1
Define the lookup as minimum match = 1 and fill unmatched values with 0.
then in your search
event_stream| lookup yourlookup thing | search exclude=0 | do something to what's left
much easier to maintain...
Thanks to all of you that gave me some pointers on a direction to go to with addressing my issue. I ended going with something a little less complex in regards to using a table as a lookup for exclusions. Because I was only going to be having 10-15 service accounts and services that I that needed to be excluded, I chose to go with the following:
**.exe NOT ("Specific-Service-Account") NOT ("Specific-Service-Account1") NOT ("dsmod.exe") NOT $ NOT (ServiceAccount OR WHATEVER.exe) NOT (ServiceAccount1 OR WHATEVER1.exe) NOT (ServiceAccount2 OR WHATEVER2.exe) NOT (ServiceAccount3 OR WHATEVER3.exe) | stats count by User_Name, Image_File_Name, host | sort count desc*
I don't see format there? Anyway, two errors that I can see right away: you're missing a pipe before inputlookup. Also after the first pipe you don't have a command at all? Just something that seems to be meant to be search filters?
Ayn:
Original search:
*.exe NOT ("Specific-Service-Account") NOT ("Specific-Service-Account1") NOT ("dsmod.exe") NOT $ NOT [| inputlookup ExclusionList.csv | ("User_Name") OR ("Image_File_Name")] | stats count by User_Name, Image_File_Name, host | sort count desc
Running search as you suggested:
inputlookup ExclusionList.csv | ("User_Name") OR ("Image_File_Name") | stats count by User_Name, Image_File_Name, host | sort count desc
Show the exact search you're running, please.
I tried running the subsearch on its own with the "| format" as you suggested and got the following error.
Error in 'format' command: The '
Ayn - I probably should have bolded out the search that I was trying to use so that it was a little more clear and stood out. The search that I started out with is mentioned above for you to review, in my original post. Thanks for taking the time to try and help me.
What does your search look like? And if this problem occurs when you add your subsearch, run the subsearch on its own (without the brackets etc) and add "| format
" at the end. This will show you the exact filter string that the subsearch will emit.
Thank you both for your suggestions. I tried both and now seem to be getting an "unbalanced quote" error.
Better yet, don't use the where
statement.
<yoursearch> NOT [|inputlookup ExclusionList.csv]
Could you try this
your search query|where NOT [|inputcsv file.csv]
in file.csv contains User_Name,Image_File_Name list. Please give it a try.