Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About psomeshwar
psomeshwar
Path Finder
Member since:
03-18-2024
a month ago
Community Statistics
| Posts | 20 |
| Solutions | 1 |
| Karma Given | 7 |
| Karma Received | 1 |
| Member Since | 03-18-2024 |
Activity Feed
- Posted Extracting fields from a large text field on Splunk Search. a month ago
- Got Karma for Re: Splitting a field after combining fields. 04-01-2024 12:17 PM
- Posted Re: Splitting a field after combining fields on Splunk Search. 04-01-2024 11:56 AM
- Posted Re: Splitting a field after combining fields on Splunk Search. 04-01-2024 09:56 AM
- Posted Splitting a field after combining fields on Splunk Search. 04-01-2024 08:28 AM
- Posted Re: Dividing combined value into separate values on Splunk Search. 03-21-2024 07:39 AM
- Posted Re: Dividing combined value into separate values on Splunk Search. 03-20-2024 11:58 AM
- Posted Dividing combined value into separate values on Splunk Search. 03-20-2024 11:35 AM
- Posted Re: Looking to add a field from another searched index to a finished table on Splunk Search. 03-19-2024 01:02 PM
- Posted Re: Looking to add a field from another searched index to a finished table on Splunk Search. 03-19-2024 12:27 PM
- Posted Looking to add a field from another searched index to a finished table on Splunk Search. 03-19-2024 11:29 AM
- Posted Re: Splitting one field into multiple fields on Splunk Search. 03-19-2024 07:33 AM
- Posted Re: Splitting one field into multiple fields on Splunk Search. 03-19-2024 07:22 AM
- Karma Re: Splitting one field into multiple fields for richgalloway. 03-19-2024 07:16 AM
- Posted Splitting one field into multiple fields on Splunk Search. 03-19-2024 06:30 AM
- Karma Re: Combining two fields into one field for isoutamo. 03-18-2024 02:29 PM
- Posted Combining two fields into one field on Splunk Search. 03-18-2024 02:15 PM
- Karma Re: I need a way to join two searches from different indexes for gcusello. 03-18-2024 09:41 AM
- Karma Re: I need a way to join two searches from different indexes for ITWhisperer. 03-18-2024 09:41 AM
- Karma Re: I need a way to join two searches from different indexes for gcusello. 03-18-2024 09:40 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
a month ago
Currently, I have a field called pluginText which is the following (italicized words are anonymized to what they represent): <plugin_output> The following software are installed on the remote host: Vendor Software [version versionnumber] [installed on date] ... ... ... </plugin_output> I wish to extract out Vendor, Software and versionnumber to separate fields and require a rex to do so. I am unfamiliar with using rex on this type of list, so I was hoping someone could point me in the right direction
... View more
04-01-2024
11:56 AM
1 Karma
So, @ITWhisperer and @richgalloway. I combined both offered solutions into the following which did end up working:
(index=index1 sourcetype=sourcetype1) OR (index=index2 sourcetype=sourcetype2)
| rename jsonevent.external_ip as exip
| rename aip as agentip
| eval external_ip = coalesce(agentip, exip)
| eventstats list(jsonevent.hostname) as Hostnames, list(jsonevent.Username) as Users by external_ip
| eval hostuser = mvzip(Hostnames, Users)
| mvexpand hostuser
| eval HostUser = split(hostuser, ",")
| eval Hostnames=mvindex(HostUser, 0), Users=mvindex(HostUser, 1)
| rename AppVendor as Vendors, AppName as Applications, AppVersion as Version
| where isnotnull(Vendors)
| search Hostnames=*, Users=*
| table external_ip, Hostnames, Users, Vendors, Applications, Version
This gave me the result I wanted, but I also ended up with a caution that the list command reached a limit of 100 and had to truncate some events, and the search as a whole slows to a crawl. Is the list command that resource intensive?
... View more
04-01-2024
09:56 AM
I used this search and it did work, however, something that I probably should have mentioned earlier is that multiple hosts and users are linked to the same external ip, so I am now getting multivalue fields for the Hostnames and Users. Anything that can be done for that? Or should I combine the two fields beforehand, then split them after the eventstats command?
... View more
04-01-2024
08:28 AM
So, I have two indexes and sourcetypes with the following fields:
index1 and sourcetype1:
aip = 34.465.45.234
AppVendor = vendor1, vendor2, vendor3 (These are all from different events)
AppName = app2, app3, app1 (All from different events corresponding to position of the vendors above)
AppVersion = 3.0343, 1.354, 2.5465 (Same convention)
index2 and sourcetype2:
jsonevent.external_ip = 34.465.45.234
jsonevent.hostname = Host1
jsonevent.Username = User1
I use the following search:
(index=index1 sourcetype=sourcetype1) OR (index=index2 sourcetype=sourcetype2)
| rename jsonevent.external_ip as exip
| rename aip as agentip
| eval external_ip = coalesce(agentip, exip)
| stats values(jsonevent.hostname) as Hostnames, values(jsonevent.Username) as Users, values(AppVendor) as Vendors, values(AppName) as Applications, values(AppVersion) as Version by external_ip
| search Hostnames=* Users=* Vendors=* Applications=* Version=*
I get the following:
external_ip Hostnames Usernames Vendors Applications Version
34.465.45.234 Host1 User1 Vendor1 app1 1.354 Vendor2 app2 2.5465 Vendor3 app3 3.0343
What I want is the following:
external_ip Hostnames Usernames Vendors Applications Version
34.465.45.234 Host1 User1 Vendor1 app2 3.0343 34.465.45.234 Host1 User1 Vendor2 app3 1.354 34.465.45.234 Host1 User1 Vendor3 app1 2.5465
Does anyone have any ideas how to achieve this?
... View more
03-21-2024
07:39 AM
The search is the following:
Index=index1 sourcetype=sourcetype1 hostname=* software != ""
| rex field=software "cpe:\/a:(?<Vendor>[^:]+):(?<Product>[^:]+):(?<Version>.*)"
| table hostname, Vendor, Product, Version
| dedup hostname, Vendor, Product, Version
... View more
03-20-2024
11:58 AM
The filldown command is not going to help me here. I don't think that I properly explained what I wanted to do. The original table looks like this: Hostname Vendor Product Version hostname1 Vendor1 Vendor2 Vendor3 Vendor4 Product1 Product2 Product3 Prodcut4 Version1 Version2 Version3 Version4 hostname2 Vendor1 Vendor2 Vendor3 Vendor4 Product2 Product4 Product3 Prodcut6 Version2 Version1 Version5 Version3 I want the new table to look like this: Hostname Vendor Product Version hostname1 Vendor1 Product1 Version1 hostname1 Vendor2 Product2 Version2 hostname1 Vendor3 Product3 Version3 hostname1 Vendor4 Product4 Version4 hostname2 Vendor1 Product2 Version2 hostname2 Vendor2 Product4 Version1 hostname2 Vendor3 Product3 Version5 hostname2 Vendor4 Product6 Version3
... View more
03-20-2024
11:35 AM
Currently, I have a table that looks like this: Table1 Hostname Vendor Product Version ----------------------------------------------------------------- hostname1 vendor1 product1 version1 vendor2 product2 version2 vendor3 product3 version3 vendor4 product4 version4 ----------------------------------------------------------------- hostname2 vendor1 product2 version2 vendor2 product4 version1 vendor3 product3 version5 vendor4 product6 version3 ----------------------------------------------------------------- In this scenario, each hostname has a list of vendors, products and versions attached to it. What I want to create is the following: Hostname Vendor Product Version hostname1 vendor1 product1 version1 hostname1 vendor2 product2 version2 hostname1 vendor3 product3 version3 hostname1 vendor4 product4 version4 hostname2 vendor1 product2 version2 hostname2 vendor2 product4 version1 hostname2 vendor3 product3 version5 hostname2 vendor4 product6 version3 Does anyone have any ideas?
... View more
03-19-2024
01:02 PM
When trying this, the result was the same as the previous attempt, only the hosts and username fields populating
... View more
03-19-2024
12:27 PM
So, I tried your solution and the result was: hosts username vendors products versions host1 user1 host2 user2 host3 user3 host4 user4 Also, I'm assuming you meant for the search to look like this: (index=index1 sourcetype=sourcetype1) OR (index=index2 sourcetype=sourcetype2) | rename device.hostname as hostname | rename device.username as username | eval hosts = coalesce(hostnames, hostname) | eval hosts = lower(hosts) | stats values(*) as * by hosts | table hosts, username, vendors, products, versions Otherwise, the search wouldn't yield any results
... View more
03-19-2024
11:29 AM
Currently, I have two tables Table1 hostnames vendors products versions host1 vendor1 product1 version1 host2 vendor2 product2 version2 host3 vendor3 product3 version3 host4 vendor4 product4 version4 Table2 device.hostname device.username HOST1 user1 HOST2 user2 HOST3 user3 HOST4 user4 The table that I want to generate from these two is the following: Table3 hosts username vendors products versions host1 user1 vendor1 product1 version1 host2 user2 vendor2 product3 version4 host3 user3 vendor3 product3 version3 host4 user4 vendor4 product4 version4 The search I tried was the following: (index=index1 sourcetype=sourcetype1) OR (index=index2 sourcetype=sourcetype2)
| rename device.hostname as hostname
| rename device.username as username
| eval hosts = coalesce(hostnames, hostname)
| table hosts, username, vendors, products, versions The result was the following: hosts username vendors products versions host1 vendor1 product1 version1 host2 vendor2 product3 version4 host3 vendor3 product3 version3 host4 vendor4 product4 version4 HOST1 user1 HOST2 user2 HOST3 user3 HOST4 user4 host1 and HOST1 both reference the same hostname, just one index had the letters capitalized and the other did not. Does anyone have any ideas?
... View more
03-19-2024
07:22 AM
Thanks, this did help me, although now, a new problem arose. When I split the fields, they are not listed in the corresponding order. For example, here is how it was shown originally: host software{} hostname cpe:/a:vendorA:product2:version3 cpe:/a:vendorB:product3:version1 cpe:/a:vendorC:product1:version2 With the new rex, it now looks like this: hostname software_vendor software_product software_version hostname vendorA product1 version1 vendorB product2 version2 vendorC product3 version3 Is there a way to keep the association between the vendor, product and version after the split?
... View more
03-19-2024
06:30 AM
Currently, I have a search that returns the following:
Search:
index=index1 sourcetype=sourcetype1 | table host, software{}
host software
hostname cpe:/a:vendor:product:version cpe:/a:vendor:product:version cpe:/a:vendor:product:version cpe:/a:vendor:product:version cpe:/a:vendor:product:version hostname cpe:/a:vendor:product:version ... ...
Here, there are multiple software tied to one hostname, and the software is under one field called software{}. What I am looking for is a way to split the software field into 3 fields by extracting the vendor, the product and the version into 3 separate fields to return:
host software_vendor software_product software_version
hostname vendor product version vendor product version vendor product version vendor product version vendor product version hostname vendor product version ... ...
Does anyone have any ideas?
... View more
Labels
- Labels:
-
field extraction
-
fields
-
regex
-
rex
-
table
03-18-2024
02:15 PM
I currently have two different fields Host Domain F32432KL34 domain.com I wish to combine these into one field that shows the following: F32432KL34@domain.com How would you suggest going about this?
... View more
03-18-2024
09:10 AM
Hello @gcusello
I managed to get it to work. The solution I used was:
(index=index1 sourcetype=sourcetype1) OR (index=index2 sourcetype=sourcetype2)
| rename cid as cid1
| rename jsonevent.cid as cid2
| eval jcid = coalesce(cid1, cid2)
| stats stats values(ApplicationName) AS ApplicationName values(ApplicationVersion) AS ApplicationVersion values(ApplicationVendor) AS ApplicationVendor values(hostname) AS hostname values(username) AS username BY jcid
Thanks, this thread helped me a lot
... View more
03-18-2024
08:48 AM
Hello @gcusello That is exactly what I did, the field name for cid in index1 is "cid" and the field name for cid in index2 is "jsonevent.cid" When I used the rename command, I only got the results from index2 and when I did not use the rename command, I only got the results from index1
... View more
03-18-2024
08:31 AM
Hello @gcusello
I tried that and it didn't work. Let me show how each search works:
(index=index1 sourcetype=sourcetype1) OR (index=index2 sourcetype=sourcetype2) | stats values(ApplicationName) AS ApplicationName values(ApplicationVersion) AS ApplicationVersion values(ApplicationVendor) AS ApplicationVendor values(hostname) AS hostname values(username) AS username BY cid
Result:
cid ApplicationName ApplicationVersion ApplicationVendor hostname username 743fsd234 AppName AppVersion AppVendor null null
(index=index1 sourcetype=sourcetype1) OR (index=index2 sourcetype=sourcetype2) | rename jsonevent.cid AS cid | stats values(ApplicationName) AS ApplicationName values(ApplicationVersion) AS ApplicationVersion values(ApplicationVendor) AS ApplicationVendor values(hostname) AS hostname values(username) AS username BY cid
Result:
cid ApplicationName ApplicationVersion ApplicationVendor hostname username 743fsd234 null null null hostname username
... View more
03-18-2024
08:16 AM
Hello, Thanks, this does help a little, however, there is one problem. One of the indexes has their events in a json format, and the cid is formatted as jsonevent.cid. As a result, I am only getting one side of the events, and the other is blank. Is there a way to work aroudn this
... View more
03-18-2024
07:43 AM
Currently, I need to join information from two different indexes. I cannot show the information as it is confidential, but I can give a general overview of what it should look like
Search:
index=index1 sourcetype=sourcetype1 | table ApplicationName, ApplicationVersion, ApplicationVendor, cid
Result:
ApplicationName ApplicationVersion ApplicationVendor cid name 1.0.3 vendor 78fds87324 ... ...
Search2:
index=index2 sourcetype=sourcetype2 | table hostname, user, cid
Result:
hostname user cid domainname username 78fds87324 ... ...
What I need is a way to show the ApplicationName, ApplicationVersion, ApplicationVendor, hostname and username all in one table connected through the cid. Anyone have any ideas?
... View more
- Tags:
- index
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
a month ago
|
