This search is going to count the number of failures by source IP. Heading on into "Inspect Job", scrolling on down into the search job properties, what we will see here is a NOT boolean operator placed in front of each field-value pair coming from that knownusers.csv invoked by that inputlookup command within the subsearch in square brackets. If we take a look at the search job inspector, that search job inspector will display the expanded search string. So in this example here we are including a NOT operator before our subsearch to exclude these lookup values. These were all of the attacker IPs that that specific user used.
From here, we want to make sure we sort those failures in descending order, so we can see that the administrator user had the most failures. Using the stats command, we will look at the unique values of the IP address, name that "attackerIP", and we'd like to get a count of events as failures, split by user, and we'd like to see which users had more than three failures. What we'll do from there is display this information within a table. If we'd like to exclude those users and only return the unknown users, we'll place a NOT boolean in front of that inputlookup command, and run this search. We know that we've loaded in the known users from that knownusers.csv file, and so if we wanted to filter on the unknown users, what happens by default with the subsearch is we are going to "AND" the results of that subsearch here, in this case, looking for all of the security events that contain failures and users coming from this knownusers.csv. We're looking for failures and we want to see the unknown users. In this example, let's go ahead and jump on over into running this search, taking a look at our security index, sourcetype of linux_secure. We're going to use that knownusers.csv file within an inputlookup command in a subsearch, to access that lookup data and pass values to the outer search. We loaded in that knownusers.csv file earlier. The results of the subsearch will have an OR boolean placed between them and we will see that search expand into AND-ing the results of that subsearch with those field-value pairs separated by OR boolean operators. In this example here, we can see we have our basic search followed by a subsearch in square brackets, followed by a set of additional commands. Subsearches are always executed first before passing the results to the outer search. Subsearches are enclosed in square brackets, and must start with generating commands like the search command or tstats. They can be used to narrow down the set of events you are searching on or used with commands to combine the results of one search with the results of another. Also the search clause is added to the subsearch query.Īs we see, the result contains only the events where the file size is equal to the max file size found by considering all the events, and the event day is a Sunday.A subsearch is a search that passes its results to an outer search as search terms. Next, we add the subsearch query to the primary or the outer query by putting the subsearch inside square brackets. The below image shows the search and the result of this subsearch − Adding the Subsearch This identifies the maximum size of the file for the time frame for which the search query is run. We use the function Stat max with the field named bytes as the argument. We first create the subsearch to find the maximum file size. Then we want to find only those events where the file size is equal to the maximum size, and is a Sunday. We consider the case of finding a file from web log which has maximum byte size. Subsearches must be enclosed in square brackets in the primary search. When a search contains a subsearch, the subsearch is run first. In Splunk, the primary query should return one result which can be input to the outer or the secondary query. It is similar to the concept of subquery in case of SQL language. Subsearch is a special case of the regular search when the result of a secondary or inner query is the input to the primary or outer query.
0 kommentar(er)
