Here is my search  index=abc Status=FAILED | eval exception =if(bucket_name=s3-abc, "yes","no") | stats count by bucket_name exception now if my bucket name is s3-abc, it would print bucket_name=s3-abc and exception=yes, rest all buckets will fall under exception=no. Now i need to do this task through a lookup, i have a lookup which is buckets.csv and fields is there bucket_name, so I need to see that lookup if the bucket is there then it should print exception=yes rest it should print exception=no. i am doing like this but not getting anything index=abc Status=FAILED | eval exception =if(|search [|inputlookup bucket.csv |fields bucket_name], "yes","no") | stats count by bucket_name exception   ... View more

Please help me to create a search, where I need to detect any anomaly of any host sending excessive logs with compare to the last hour. For eg, if a host is sending x events this hour and next hour if it will send x+25% then we should get a trigger. ... View more

Is there any way to find out that my sourcetype is reading props? does it have any logs to check that whats all props my sourcetype is leveraging ... View more

I have datamodel as AWS and have 2 datasets 1.config and 2. cloud-trail ... Below is the query which i am using in dashboard to get desired information where i am passing fields but it is not working |tstats summariesonly=T from datamodel=AWS.config where config.configuration.instanceId=$field1$ OR config.configuration.networkInterfaceId=$field1$ OR config.configuration.groupId=$field1$ OR config.configuration.vpcId==$field1$ by config.aws_account_id | table config.configuration.instanceId config.configuration.networkInterfaceId config.configuration.groupId config.configuration.vpcId ... View more

If i have 3 column in lookup table like column "A" is dedicated for IP column "B" is dedicated for hash and column "C" is dedicated to URL. how can i match fields(IP,Hash,URL) of lookup table with the fields in index=main ... View more

This is my search for detecting brute force behavior- index="wineventlog" sourcetype=wineventlog:security | stats dc(action) as Attempts, earliest(_time) as FirstAppearance count(eval(match(action,"failure"))) as Failed, count(eval(match(action,"success"))) as Success max(eval(case(match(action,"failure"),_time))) as lastFailed max(eval(case(match(action,"success"),_time))) as lastSuccess values(src) as src by user | where Attempts>1 AND Failed>100 AND Success>0 | where lastFailed < lastSuccess Now what is happening it is taking cumulative of 100 as failures and if there is 1 success then it is triggering.... My question is how can i restrict it to 100 failures consecutive prior to 1-success i mean 1st event should not be success. ... View more

Pls tell me how can i track for any activity being done in content management For eg if i have changed drill down for any correlation search or if i have changed throttling Does these things get tracked? ... View more

Please see this query for brute force detection- index="wineventlog" sourcetype=wineventlog:security | search (EventCode=4624 OR EventCode=4625 OR EventCode=4648 OR EventCode=4768 OR EventCode=4769 OR EventCode=4771 OR EventCode=4776) | stats dc(action) as Attempts, count(eval(match(action,"failure"))) as Failed, count(eval(match(action,"success"))) as Success values(src) as src by user dest |where Attempts>1 AND Failed>10 AND Success>0..... So now whats happening i am getting results for failed>10 and success>0 but there could be scenario where 1st event would be success followed by 10 failures thats also coming but we dont want that .....its not brute force attack ....how i can accomplish first 10 events of failed followed by 11th event of success. ... View more

if i have 3 fields A,B,C and i need to match all entries for that fields index=main |search [|inputlookup abc.csv | fields A,B,C] | stats count by A,B,C would this be the right query ... View more