If device_action is not fully populated, you can use values(), or populate missing values with another fillnull. | stats count by src_ip dest category mscore severity type malware threat_actor device_action If every event of interest has device_action (fully populated), include it in groupby index=pan_logs OR index=estreamer dest="*" If the initial search has a field named device_action, you can pass it just like other fields. | stats count by src_ip dest category mscore severity type malware threat_actor | search type=ipv4 | makemv delim=" " category Search that was Close, but needed additional iplocation data and action from device: |index=pan_logs OR index=estreamer dest="*" | lookup mandiant_master_lookup _key as src_ip output category mscore type malware threat_actor | inputlookup mandiant_master_lookup | search type=ipv4 | eval src_ip=_key | table category mscore type malware threat_actor
Second Search (Fields Needed: src_ip, category, mscore, type, malware, threat_actor | iplocation src_ip | stats count by src_ip dest City Country Index=pan_logs OR index=estreamer dest="*" If anyone could provide assistance or a recommendation with this matter it would be much appreciated.įirst Search (Fields Needed: src_ip, dest, City, Country them together based on common business attribute (i.e., join dimension). I would like to use the Mandiant indicators/information and another search to look for activity that occurred and getting the data from both into one table with a total count of detected activity. A good example is multitenant services based on multiple temporal and spatial. Using map, you can search for the latest event involving target_user of that name pattern in win* and search a corresponding duser event in between -1 minute and + 1 minute of that win* event.I have two searches/data sets that I would like to combine into a table, and am not entirely sure on what the correct process of completing the task is. Which index is expected to have the matching event first? Or is the logic simply to assume two otherwise matching events in the two indices within a certain time interval are "the correct time"? I will take the logic of matching target_user in index=win* with duser in index=PAM within any +/- 1 minute interval on the calendar. Product Splunk Enterprise Version 9.0. Lastly, to "find the correct time" in both datasets, there has to be a relationship between the two. Secondly, what does "check out" mean in terms of data? Also, "search for the latest time" something happens is somewhat in conflict with something can happen "many times during a work day." How do you expect to resolve this conflict? I will pursue the latest time first. Meanwhile, I will assume that target_group is uniquely determined by target_user.
Continue to Part 5: Enriching events with lookups.
SPLUNK JOIN 2 SEARCHES HOW TO
You have learned how to use fields, the Splunk search language, and subsearches to search your data. In other words, src_user is just another idle data field like result in this use case. Splunk Lantern Splunk experts provide clear and actionable guidance. Is this correct? Is there any relationship between this "user behind" and src_user? I will take the assumption of no relationship. Examples of streaming searches include searches with the following commands: search, eval, where, fields, and rex. This command requires at least two subsearches and allows only streaming operations in each subsearch. Is this correct? If so, suser must be "the user behind". Description The multisearch command is a generating command that runs multiple streaming searches at the same time. Which user will have that value XXXXX01, XXXXX02, etc? I am guessing that is target_user in the first, and duser in the second.
The first search returns a src_user and a target_user the second search involves a duser and an suser.
The question leaves a lot to be clarified.
0 kommentar(er)
