Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About RyanDonnelly22
RyanDonnelly22
Explorer
Member since:
08-08-2019
11-16-2021
Community Statistics
| Posts | 7 |
| Solutions | 1 |
| Karma Given | 1 |
| Karma Received | 0 |
| Member Since | 08-08-2019 |
Activity Feed
- Karma Re: Limiting a Search by number of events over a period of time for PickleRick. 11-16-2021 10:01 AM
- Posted Limiting a Search by number of events over a period of time on Splunk Search. 10-26-2021 10:20 AM
- Posted Splunk Maps plotting using physical address (not IP Address) on Dashboards & Visualizations. 06-22-2021 10:43 AM
- Posted Splunk Visualization Char counting by wrong field on Splunk Search. 02-06-2020 12:43 PM
- Tagged Splunk Visualization Char counting by wrong field on Splunk Search. 02-06-2020 12:43 PM
- Tagged Splunk Visualization Char counting by wrong field on Splunk Search. 02-06-2020 12:43 PM
- Tagged Splunk Visualization Char counting by wrong field on Splunk Search. 02-06-2020 12:43 PM
- Tagged Splunk Visualization Char counting by wrong field on Splunk Search. 02-06-2020 12:43 PM
- Tagged Splunk Visualization Char counting by wrong field on Splunk Search. 02-06-2020 12:43 PM
- Posted Re: How do you compare multiple events to filter out the same host with different field values? on Splunk Search. 08-09-2019 11:03 AM
- Posted Re: How do you compare multiple events to filter out the same host with different field values? on Splunk Search. 08-08-2019 11:27 AM
- Posted Re: How do you compare multiple events to filter out the same host with different field values? on Splunk Search. 08-08-2019 11:21 AM
- Posted How do you compare multiple events to filter out the same host with different field values? on Splunk Search. 08-08-2019 08:30 AM
- Tagged How do you compare multiple events to filter out the same host with different field values? on Splunk Search. 08-08-2019 08:30 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
10-26-2021
10:20 AM
I am trying to search for a number of events over a select period of time (4 hours) and then expand that to see how much of this traffic is in a 30 day period. I can use the time ranger picker for the initial 4 hours, but when expand it, I am getting too much data. Search I am using: index="Firewalls" action=blocked | stats count by client_ip | search count > 3500 | sort -count Is there a way to limit the results to be something like "search count > 3500 over 4 hours" and have the time range be 30 days?
... View more
06-22-2021
10:43 AM
I am trying to create a map visualization from a list of data that has the the physical address of the event in a filed named 'location' | inputlookup data.csv | table location | Example data Earth Wytheville, VA Boston, MA 1 Main St, Waltham, Massachusetts Mexico City, Mexico Wellington St, Ottawa, ON K1A 0A9, Canada I want to talk these physical addresses and add them to the Map Visualization in Splunk, but am not seeing how to add the data to the chart.
... View more
02-06-2020
12:43 PM
I have a monitoring search, that we are viewing both as a graph and when drilling in, as the events. When viewing the events, the information is correct, no issue, but when viewing the data as a chart, every once in a while we get an error.
Normally the graphs bars are counting by the Clinet_IP and the number of event it sees, but for some it randomly switches to counting by by the user name (while still saying it's the Client_IP).... For clarification, most user names are either 'unknown' or 'domain\123456' but some are just '123456' and it's those that are causing issues.
I don't want to take out the usernames from the search, as it provides valuable information when the team is drilling into the events, but this error is annoying to deal with.
This is the search we are running:
index="pan_logs"
| search action=blocked NOT "symantec"
| fillnull user value="N/A"
| stats values(http_category) values(dest_name) values(user) as UserName count by client_ip | sort -count | head 100
... View more
08-09-2019
11:03 AM
I was able to find an answer.
I need to use the 'where' command at the end of my search
| stats values(risk) as Severity values(message) as Message values(Malware) as Malware values(Owner) as Owner values(state) as Status values(customer_id) as Helix values(Time) as Time count by Source
| where Status !="Closed" and Owner=" "
| sort -Status
... View more
08-08-2019
11:27 AM
Here is an example of the results we see:
(first host, we would want to filter down to just see hosts like this)
Source: 10.0.0.14 Severity: Medium
Message: FIREEYE NX ALERT [SmartVision-Event] Malware: user enumeration attempt
Owner: Status: Open Time: 8/8/2019 11:37
count: 1
(second and third host, would want to filter out all of these due to one of their Owner fields being full and one of the Status fields being set to Closed)
Source: 10.0.0.11 Severity: Low
Message: FIREEYE NX ALERT [Riskware-Callback] Malware: adware.downware
Owner: user2@corp.com Status: Closed Time: 8/8/2019 10:07
Message: FIREEYE NX ALERT [Riskware-Callback] Malware: adware.downware
Owner: user2@corp.com Status: Open Time: 8/8/2019 10:27
count: 2
Source: 10.0.0.10 Severity: Low
Message: FIREEYE NX ALERT [Riskware-Callback] Malware: adware.downware
Owner: user1@corp.com Status: Closed Time: 8/8/2019 10:27
Message: FIREEYE NX ALERT [Riskware-Callback] Malware: adware.downware
Owner: user1@corp.com Status: Open Time: 8/8/2019 11:12
Message: FIREEYE NX ALERT [Riskware-Callback] Malware: adware.downware
Owner: user1@corp.com Status: Time: 8/8/2019 11:27
count: 3
... View more
08-08-2019
11:21 AM
Here is an example looking at the result of the current search we use. We would want to be able to filter it out to only the ones that are just open:
(first host, we would want to filter down to see events like this)
Source: 10.0.0.14 Severity: Medium
Message: FIREEYE NX ALERT [SmartVision-Event] Malware: user enumeration attempt
Owner: Status: Open Time: 8/8/2019 11:37
count: 1
(second and third host, would want to filter out all of these due to the Owner field being full in at least one of the events, and one of the Status fields being set to Closed)
Source: 10.0.0.11 Severity: Low
Message: FIREEYE NX ALERT [Riskware-Callback] Malware: adware.downware
Owner: user2@corp.com Status: Closed Time: 8/8/2019 10:07
Message: FIREEYE NX ALERT [Riskware-Callback] Malware: adware.downware
Owner: user2@corp.com Status: Open Time: 8/8/2019 10:27
count: 2
Source: 10.0.0.10 Severity: Low
Message: FIREEYE NX ALERT [Riskware-Callback] Malware: adware.downware
Owner: user1@corp.com Status: Closed Time: 8/8/2019 10:27
Message: FIREEYE NX ALERT [Riskware-Callback] Malware: adware.downware
Owner: user1@corp.com Status: Open Time: 8/8/2019 11:12
Message: FIREEYE NX ALERT [Riskware-Callback] Malware: adware.downware
Owner: Status: Time: 8/8/2019 11:27
count: 3
... View more
08-08-2019
08:30 AM
I have alert logs coming in from an AV tool and when a tech is working on an alert assigned it to themselves, it generates a new log file, same when it is closed.
This is the basic search I have for all the events:
index="AV"
|rename assignedTo.username as Owner
| rename alertTypeDetails.detail.agenthostname as agenthostname
|rename alertTypeDetails.source as source
| eval "Source"=coalesce(source,agenthostnamee," N/A ")
| rename alertTypeDetails.detail.virus as virus
| rename alertTypeDetails.detail.category as category
| eval "Malware"=coalesce(iocnames, virus, category, " N/A ")
| eval Owner=if(isnull(Owner)," ",Owner)
| eval Time=strftime(_time, " %m/%d/%Y %H:%M:%S")
| stats values(risk) as Severity values(message) as Message values(Malware) as Malware values(Owner) as Owner values(state) as Status values(customer_id) as Helix values(Time) as Time count by Source
| sort -Status
I want to exclude the hosts that have additional events where the values of Owner is not " " and the Status is not Open, so I can just see the new events that haven't been assigned or closed yet.
... View more
- Tags:
- splunk-cloud
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
11-16-2021
02:16 PM
|
