Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About biers04
biers04
Explorer
Member since:
12-04-2017
04-19-2021
Community Statistics
| Posts | 14 |
| Solutions | 0 |
| Karma Given | 7 |
| Karma Received | 0 |
| Member Since | 12-04-2017 |
Activity Feed
- Posted Tstats with Sparkline limiting values on Splunk Search. 04-16-2021 12:27 PM
- Tagged Tstats with Sparkline limiting values on Splunk Search. 04-16-2021 12:27 PM
- Tagged Tstats with Sparkline limiting values on Splunk Search. 04-16-2021 12:27 PM
- Posted Phishing Domain Hunting with double TLDs on Splunk Search. 09-02-2020 10:00 AM
- Karma Re: If statement with lookup table for somesoni2. 06-05-2020 12:49 AM
- Karma Re: If statement with lookup table for cmerriman. 06-05-2020 12:49 AM
- Karma Re: Ingesting User Names for niketn. 06-05-2020 12:49 AM
- Karma Re: Pass token into search macro for elliotproebstel. 06-05-2020 12:49 AM
- Karma Re: Pass token into search macro for elliotproebstel. 06-05-2020 12:49 AM
- Karma Re: Is there a javascript token with the hostname of the Splunk server where Splunk Web runs? for koshyk. 06-05-2020 12:48 AM
- Karma Re: current user in search? for AzJimbo. 06-05-2020 12:46 AM
- Posted Re: Extract multiple file names from email attachments on Splunk Search. 03-13-2018 06:22 PM
- Posted Extract multiple file names from email attachments on Splunk Search. 12-22-2017 10:37 AM
- Tagged Extract multiple file names from email attachments on Splunk Search. 12-22-2017 10:37 AM
- Tagged Extract multiple file names from email attachments on Splunk Search. 12-22-2017 10:37 AM
- Tagged Extract multiple file names from email attachments on Splunk Search. 12-22-2017 10:37 AM
- Posted Re: Pass token into search macro on Splunk Enterprise. 12-08-2017 08:11 AM
- Posted Pass token into search macro on Splunk Enterprise. 12-08-2017 06:04 AM
- Tagged Pass token into search macro on Splunk Enterprise. 12-08-2017 06:04 AM
- Posted Re: Ingesting User Names on Splunk Enterprise. 12-07-2017 11:44 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
04-16-2021
12:27 PM
I am working on statsing firewall data into a sparkline. However, when I run the search, the sparkline caps out at 1800 results. This ends up being an issue because some sparklines end up just looking like a flat line, which is not very useful. Is there a way to work around this/a fix to this? | tstats count from datamodel=firewall where firewall.signature!="(9999)" by firewall.signature, _time, span=1ms
| stats sparkline sum(count) by log.threat_name Sparkline limit @ 1800
... View more
Labels
- Labels:
-
tstats
09-02-2020
10:00 AM
BLUF: is there a good way to search for double TLD's? I have been attempting to get at a way to hunt for double TLD's in a firewall index, and I am looking at how to improve on some basic searching. Basically, if you search tools like phishtank, you will see a lot of phishing domains like to spoof legitimate sites with something along the lines of "mybank.com.thisisabadguy.com" so you think you're navigating to "mybank.com." I've done very simplistic searches to see how things work, searching things like `index=firewall .com*.com | dedup url` just to see what results i get. Lots of false positives, what with Google Ad redirects, bing search results, etc. I can work with FP's though, I'll create a whitelist csv for that. Is there a way to get Splunk to recognize double TLD's, so instead of having to individually search .com*com, .org*.org, .ru*.ru, etc I can search where .tld*.tld?
... View more
Labels
- Labels:
-
field extraction
-
fields
-
lookup
03-13-2018
06:22 PM
Sorry all, completely forgot about it. Still an issue, but I don't have time to deal with it at this point. If I can delete the question, I will.
... View more
12-22-2017
10:37 AM
Trying to extract all email attachments file names. I am no good with Rex/Regex, so I used the automatic extraction in Splunk... However, the extraction is only pulling the first file name, never anything after.
In Splunk on the Extraction/Transfor, field I got
(?=[^"](?:"filename":|"."filename":))^[^/\n]*/\w+",\s+"\w+":\s+"(?P[^"]+)
Need to know what to add in order for it to loop through for each attachment.
... View more
12-08-2017
08:11 AM
So I will give you credit, you set me on the right path here. It did not quite work for me, but
| join [rest /services/authentication/current-context splunk_server=local | fields + username]
ended up working.
... View more
12-08-2017
06:04 AM
I created a search for pushing clean MD5 hashes to a CSV in order to filter out said MD5's. For non-repudiation purposes, I am attempting to send the current users name into the CSV as well.
To make it easier, the base search is below:
index=mcafee Customer=Yes AND signature!="[New*" AND ("ad.Executable_,Fingerprint"!="submit_hash_clean.csv" AND "file_name"!="submit_hash_clean.csv") $wild$
| dedup "Workstation_,Name"
| eval TIME=strftime(time,"%Y-%m-%d %H:%M")
| stats earliest(TIME) count by "Executable,Fingerprint"
| eventstats sum(count) as total_host
| where count<11
| rename "Executable_,Fingerprint" AS "File Hash", earliest(TIME) AS "First Seen", count AS Count
| table "File Hash", Count, "Set As Clean" "Username"
|eval "Set As Clean"="Clean"
| eval "Username"="$env:user_realname$"
| sort -Count
Then a search macro runs, pushing the MD5 to the CSV along with the file name (Command below). The issue I am having here is that the token $env:user_realname$ does not appear to be valid in the search macro. Username returns the literal string "$env:user_realname$" instead of the actual user name. If not in quotes, Username returns blank. I am not sure what I am missing.
| dedup "Executable_,Fingerprint"
| head 1
| table "file_name", "Executable_,Fingerprint", "Username"
| eval "Username"="$env:user_realname$"
| outputlookup append="true" submit_hash_clean.csv
... View more
- Tags:
- splunk-light
12-07-2017
11:44 AM
Actually, it appears that within the CSV, it returns just the literal string "$env:user_realname$"
My drilldown query is as follows:
| dedup "Executable_,Fingerprint"
| head 1
| fillnull value="NULL"
| search NOT NULL
| table "file_name", "Executable_,Fingerprint", "Username"
| eval "Username"="$env:user_realname$"
| outputlookup append="true" submit_hash_clean.csv
... View more
12-07-2017
10:46 AM
Brilliant! Thank you, was missing
eval username="$env:user_realname$" within the search macro.
... View more
12-07-2017
09:41 AM
row panel html h1 id="User">$env:user_realname$
Did not realize it would not display toe row panel html h1 tag - reinserted here without the <>
... View more
12-07-2017
09:40 AM
FYI to display usernames themselves it is $env:user_realname$ (don't need the h1 tag). I just need a possible way to grab the h1 and push that to the csv as well.
... View more
12-07-2017
08:35 AM
I am currently creating a dashboard for users.
index=mcafee AND Customer=Yes AND signature!="[New*" AND ("Executable_,Fingerprint"!="submit_hash_clean.csv" AND "file_name"!="submit_hash_clean.csv")
| dedup "Workstation_,Name"
| eval TIME=strftime(time,"%Y-%m-%d %H:%M")
| stats earliest(TIME) count by "file_name", Executable,Fingerprint
| eventstats sum(count) AS total_host
| where count<11
| rename file_name AS "File Name", earliest(TIME) AS "First Seen", count AS Count
| table "File Name", "Executable_,Fingerprint", Count, "Set As Clean"
| eval "Set As Clean"="Clean"
| sort - Count
When a user Clicks "Clean" it auto runs a query that pushes the file hash and filename to a CSV so we no longer see the file name associated with that file hash.
My problem comes in as I need non-repudiation. I am looking to push the current users name into the CSV, but I cannot figure out how to do so push the current user to a table. If I can get it to a table, I'll know how to push their name into the CSV. Current command I am attempting to use is "$env:user_realname$" as it grabs the users name instead of login name. I'm not sure if making it a token or there is something I am missing here.
... View more
- Tags:
- splunk-light
12-05-2017
12:36 PM
Basically, I want to filter out 50 alerts for first_customer, a completely different set of rules to filter for second_customer, and so on, up to about 25-30 customers. I think it would be much better to do this through one CSV lookup, just unsure how to specify to meet my needs.
... View more
12-05-2017
12:33 PM
There are a lot of customers and rules... Was looking not to have to specifically rule it out, but if that is the only way, I will deal with the cards I've been dealt.
... View more
12-04-2017
08:11 AM
Created a lookup table for Common File locations. I am going to filter these out of results using the lookup table, however there are a few customers we have where certain files are not authorized (despite of real world clean), so I would need to show results for these customers.
Basically, if C:\Program Files (x86)\Mozilla Firefox\Firefox, filtering this out with the lookup table... However, if customer=exampleCustomer, then the result should still display. Is this possible using lookup tables, or do I need to specifically search customer without the lookup.
... View more
- Tags:
- splunk-light
