I want to see all transactions for all IPs returned from the subsearch. No results will be returned because the transaction command must include the startswith and endswith options. Not sure how to filter from here? I can do search X_MS_Forwarded_Client_IP="1.2.3.4" but that only works if I want to hard code a single IP into my search. | top 100 FromIP | search count>5 | table FromIP | rename FromIP as X_MS_Forwarded_Client_IP] Additionally, the transaction command adds two fields to the raw events. Transactions are made up of the raw text (the raw field) of each member, the time and date fields of the earliest member, as well as the union of all other fields of each member. This is the subsearch I have to find my target IP addresses which I need to filter on: [index="its-o365-audit" Status=Delivered SenderAddress="" FromIP!=129.100.* FromIP!=10.* The transaction command finds transactions based on events that meet various constraints. Because the field starts with a numeric it must be enclosed in single quotations. The results of which will contain the IP address in the X_MS_Forwarded_Client_IP field. Splunk Field Is Not Null Use the code button (101 010) to mark code. | transaction Security_ID Activity_ID Instance_ID maxspan=10s startswith=EventCode=4624 endswith=EventCode=410 | rex field=X_MS_Forwarded_Client_IP mode=sed "s/(,\d)//" transaction, strptime, strftime, eval, where xyseries, table etc. | eval Account_Name=mvindex(Account_Name, 1) SplunkTrust 11-14-2017 10:57 AM The where command accepts a single eval expression. Below is my query which is working but im writing it twice. In particular, Im looking forward, print only the rows where column fqdn not endswith udc.net and htc.com. | fields _time, Account_Name, Security_ID, Activity_ID, Instance_ID, X_MS_Forwarded_Client_IP, EventCode I am just into learning of Splunk queries, Im trying to grab a data from myfile.csv file based on the regex expression. host=ADFS* sourcetype="WinEventLog:Security" (EventCode=4624 OR EventCode=501 OR EventCode=299 OR EventCode=410) I then need to filter those events to show only transaction events containing one of many IP addresses returned from a subsearch. I have a search which is using transaction to create events for each transaction.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |