Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About tffishe
tffishe
New Member
Member since:
12-18-2013
01-25-2021
Community Statistics
| Posts | 4 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 0 |
| Member Since | 12-18-2013 |
Activity Feed
- Posted Re: How to get stats to set a field from the same event as another max() field on Splunk Search. 04-27-2017 10:23 AM
- Posted Re: How to get stats to set a field from the same event as another max() field on Splunk Search. 04-27-2017 06:00 AM
- Posted How to get stats to set a field from the same event as another max() field on Splunk Search. 04-25-2017 12:37 PM
- Tagged How to get stats to set a field from the same event as another max() field on Splunk Search. 04-25-2017 12:37 PM
- Tagged How to get stats to set a field from the same event as another max() field on Splunk Search. 04-25-2017 12:37 PM
- Posted how to better analyze web access logs (access_combined) on Security. 06-26-2015 01:11 PM
- Tagged how to better analyze web access logs (access_combined) on Security. 06-26-2015 01:11 PM
- Tagged how to better analyze web access logs (access_combined) on Security. 06-26-2015 01:11 PM
- Tagged how to better analyze web access logs (access_combined) on Security. 06-26-2015 01:11 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 |
04-27-2017
10:23 AM
The limits I referred to are (I am assuming) the same as what was affecting this discussion - https://answers.splunk.com/answers/453261/why-is-the-streamstats-command-not-returning-all-e.html. I'm seeing very similar results. If I run this search over the last seven days it is fine (just under 1 Mil results), but over 12 days it looks like it loses some of the events. My stats show lower counts for more days. It looks like the streamstats is just dropping some events without saying a word. I can build summary tables if I find I need to do this regularly; but it's concerning that a search would simply drop some events without any indication.
I will give rex a try for the replace to get the efficiency.
Thanks.
... View more
04-27-2017
06:00 AM
Good thought about simply using another sort.
I had already found a solution that worked myself using this:
sourcetype=caslog action="SERVICE_TICKET*" | fields _time,action,user,ticket,service,client_ip |
eval service=mvjoin(mvindex(split(service,"/"),0,3),"/") | eval Action=replace(action,"SERVICE_TICKET_","ST_") |
sort 0 ticket _time | streamstats first(service) as Service by ticket | streamstats first(user) as User by ticket |
streamstats first(_time) as stime by ticket | search action!="SERVICE_TICKET_CREATED" |
eval etime=_time-stime | eval stime=substr(strftime(stime, "%m/%d:%H:%M"),1,20) |
streamstats max(etime) as maxtime by Action,Service | eval maxticket=if(maxtime = etime,ticket,maxticket) |
eval maxuser=if(maxtime = etime,User,maxuser) |
stats count as Count, avg(etime) as ea, Min(etime) as el, max(etime) as eh, last(maxticket) as Max_Ticket,
last(maxuser) as Max_User by Action,Service | eval "Avg Ticket Time"=round(ea,3) |
eval "Low Ticket Time"=round(el,3) | eval "High Ticket Time"=round(eh,3) |
table Count,Action,Service,"Avg Ticket Time","Low Ticket Time","High Ticket Time",Max_Ticket,Max_User
Which uses streamstats to find the max time and then eval if to match the user and ticket for the max time. It works, but your solution was more efficient - cutting the time nearly in half.
I had also found my flaw in the subsearch for action after I added the eval to reduce the space occupied by the action. I had not caught my flaw in the first sort which should have been on ticket and time. For CAS service tickets that was key, so thanks for that.
Results are looking good now (although I can't do too long of time span or limits chops my results without telling me).
... View more
04-25-2017
12:37 PM
While handling our CAS logs I have a report that calculates the time it takes to validate a CAS service ticket.
I use stats to get the average, high, and low values for the time it takes for tickets to be processed (validated or failed to validate).
Right now I also include the last ticket and user in the stats output in case I want to look further into them.
The ticket and user are set for each event by the previous sort and multiple streamstats.
What I'd like to have instead of the last ticket and user in the stats command is the ticket and user from the event which had the max etime (elapsed time) field.
Can anyone suggest how I could get that?
Here is my search:
sourcetype=caslog action="SERVICE_TICKET*"
| fields _time,action,user,ticket,service,client_ip
| eval service=mvjoin(mvindex(split(service,"/"),0,3),"/")
| eval action=replace(action,"SERVICE_TICKET_","ST_")
| sort 0 service
| streamstats first(service) as Service by ticket
| streamstats first(user) as User by ticket
| streamstats first(_time) as stime by ticket
| search action!="SERVICE_TICKET_CREATED"
| eval etime=_time-stime
| stats count, avg(etime) as ea, max(etime) as eh, Min(etime) as el, last(ticket) as Last_Ticket last(User) as Last_User by action, Service
| eval Avg_Ticket_Time=round(ea,3)
| eval Low_Ticket_Time=round(el,3)
| eval High_Ticket_Time=round(eh,3)
|table count,action,Service,Avg_Ticket_Time,Low_Ticket_Time,High_Ticket_Time,Last_Ticket,Last_User
| sort 0 - action,count
... View more
06-26-2015
01:11 PM
OK - so I'm quickly becoming an even bigger Splunk fan when I put some of our key web access logs there to analyze what is going on when certain events impact the web servers. I was able to easily create reports and dashboards to view what is hitting the servers, identify hotspots by client or URI across a number of very disjointed web servers. Great so far.
But, now that I have it there I should be able to also alert on certain indicators that something bad has been logged in terms of what is in the access requests? I know that this is spilling into the realm of IDS and we don't want to duplicate work. But, our IDS will not detect "bad" requests in ssl (at least not without putting the key in so it can - which our does not have). So, If some "bad" access makes it to our server without the IDS detecting it but my access log is going to Splunk, couldn't I alert on it there.
Here is where my brilliant idea falls short - I'm not sure how to go about it. What am I looking for?
Has anyone tried to do anything like this?
I'd love to here your method and resuits.
Thanks
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
01-25-2021
05:03 AM
|
