From fa11c06012d445f588151eac062e90cbbcce8ffb Mon Sep 17 00:00:00 2001 From: Sam Date: Mon, 2 Oct 2023 22:00:23 -0400 Subject: [PATCH 1/5] init commit --- splunk.md | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 splunk.md diff --git a/splunk.md b/splunk.md new file mode 100644 index 0000000000..38ef9d776d --- /dev/null +++ b/splunk.md @@ -0,0 +1,7 @@ +--- +title: Splunk +category: Splunk +layout: 2017/sheet +updated: 2023-10-02 +--- + From f728e38655c5e4683de85b3514073b4658f429e4 Mon Sep 17 00:00:00 2001 From: Sam Date: Mon, 2 Oct 2023 22:19:31 -0400 Subject: [PATCH 2/5] added Sort command --- splunk.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/splunk.md b/splunk.md index 38ef9d776d..d2c2a5540c 100644 --- a/splunk.md +++ b/splunk.md @@ -5,3 +5,13 @@ layout: 2017/sheet updated: 2023-10-02 --- +### Sorting Results + +| Command | Results | +|:---- | ----------:| +| \| sort field1 | Sorts field1 in ascending order | +| \| sort 0 field1 | Sorts in ascending order and return all results | +| \| sort -field1 | Sorts in descending order | +| \| sort 100 field1 | Sorts ascending and return first 100 results | +| \| sort num(field1) | Sorts numerically | +| \| sort str(field1) | Sorts lexicographically | \ No newline at end of file From 27f7485d26d47915a6a9692c3388fd414d33fc2b Mon Sep 17 00:00:00 2001 From: Sam Date: Mon, 2 Oct 2023 22:34:36 -0400 Subject: [PATCH 3/5] adding intro to search, filtering results --- splunk.md | 23 ++++++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/splunk.md b/splunk.md index d2c2a5540c..752a68e522 100644 --- a/splunk.md +++ b/splunk.md @@ -3,8 +3,17 @@ title: Splunk category: Splunk layout: 2017/sheet updated: 2023-10-02 +tags: [WIP] --- +### Introduction to Searching +| Command | Overview | +|:---- | ----------:| +| index='network_traffic' | Search returning events in the network_traffic index | +| index=* sourcetype='f5' | Search on all indexes that returns events mapped to the f5 sourcetype | +| \| datamodel Authentication | Search on the Authentication data model | +| \| tstats count WHERE index=_internal | Accelerated search on the _internal index | + ### Sorting Results | Command | Results | @@ -14,4 +23,16 @@ updated: 2023-10-02 | \| sort -field1 | Sorts in descending order | | \| sort 100 field1 | Sorts ascending and return first 100 results | | \| sort num(field1) | Sorts numerically | -| \| sort str(field1) | Sorts lexicographically | \ No newline at end of file +| \| sort str(field1) | Sorts lexicographically | + +### Filtering Results + +| Command | Results | +|:---- | ----------:| +| \| where distance > 100 | Keeps results where 'distance' is greater than 100 | +| \| dedup host | Keep the first result for each unique host | +| \| dedup source, host | Keep the first result for each unique combination of source and host values | +| \| dedup 3 source | Keep the first three results for each unique source | +| \| head 5 | Return the first 5 results | +| \| head (action="startup") | Return the first events until we reach an event that does not have action="startup" | +| \| tail 5 | Return the last 5 results | \ No newline at end of file From d3486a17c932878e22e2edbfdb31c784020fd84f Mon Sep 17 00:00:00 2001 From: Sam Date: Mon, 2 Oct 2023 23:05:16 -0400 Subject: [PATCH 4/5] added more content --- splunk.md | 59 ++++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 58 insertions(+), 1 deletion(-) diff --git a/splunk.md b/splunk.md index 752a68e522..883f94cbbf 100644 --- a/splunk.md +++ b/splunk.md @@ -35,4 +35,61 @@ tags: [WIP] | \| dedup 3 source | Keep the first three results for each unique source | | \| head 5 | Return the first 5 results | | \| head (action="startup") | Return the first events until we reach an event that does not have action="startup" | -| \| tail 5 | Return the last 5 results | \ No newline at end of file +| \| tail 5 | Return the last 5 results | + +### Reporting Results + +| Command | Results | +|:---- | ----------:| +| \| top 20 url | Return the top 20 most common results | +| \| top 5 user by host | Return the top 5 users for each host | +| \| top user, host | Return the top 10 (default) user-host combinations | +| \| rare 20 url | Return the 20 least common results | +| \| rare 5 user by host | Returns the 5 least common users for each host | +| \| rare user, host | Return the 10 (default) least common user-host combinations | + +## Stats + +| Command | Results | +|:---- | ----------:| +| \| stats dc(host) | Returns the distinct count of hosts (unique values) | +| \| stats avg(kbps) by host | Returns the average value of kbps | +| \| stats sum(count) as total | Returns a sum of events and renames column to total | +| \| stats count(events) | Returns a number of occurrences of events | + +Note: Stats commands utilize the Mathematical Calculations as seen below + +## Mathematical Calculations + +| Command | Results | +|:---- | ----------:| +| dc(x) | Distinct count of the values of 'x' field | +| count(x) | Number of occurrences of the values of 'x' field | +| avg(x) | Average of the values of 'x' field | +| max(x) | Maximum value within the 'x' field values | +| min(x) | Minimum value within the 'x' field values | +| median(x) | Middle-most value of field 'x' | +| mode(x) | Returns the most frequent value of field 'x' | +| perc(x) | Returns the percent-num value of field x. Perc5(x) for example returns 5th percentile | +| range(x) | Difference between max and min of 'x' | +| stdev(x) | Returns the standard deviation of field 'x' | +| sum(x) | Sum of values within the 'x' field | +| var(x) | Sample variance of field 'x' | + +## Value Selections + +| Command | Results | +|:---- | ----------:| +| first(x) | First value of the 'x' field (Chronologically) | +| last(x) | Last value of the 'x' field (Chronologically) | +| list(x) | lists all values of 'x' as a multivalue entry. Order values order of input events | +| values(x) | Returns all distinct values of 'x', ordered lexicographically | + +## Timechart ONLY + +| Command | Results | +|:---- | ----------:| +| per_day(x) | rate of field 'x' per day | +| per_hour(x) | rate of field 'x' per hour | +| per_minute(x) | rate of field 'x' per hour | +| per_second(x) | rate of field 'x' per second | \ No newline at end of file From 3ab60b4057d2e73c04fac9a9952c1b81e9f40ec6 Mon Sep 17 00:00:00 2001 From: Sam Date: Wed, 4 Oct 2023 21:23:49 -0400 Subject: [PATCH 5/5] finishing touches --- splunk.md | 25 ++++++++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) diff --git a/splunk.md b/splunk.md index 883f94cbbf..c5885e1dd5 100644 --- a/splunk.md +++ b/splunk.md @@ -13,6 +13,7 @@ tags: [WIP] | index=* sourcetype='f5' | Search on all indexes that returns events mapped to the f5 sourcetype | | \| datamodel Authentication | Search on the Authentication data model | | \| tstats count WHERE index=_internal | Accelerated search on the _internal index | +| index='network_traffic' [search 404 \| return src] | A search utilizing a sub-search | ### Sorting Results @@ -92,4 +93,26 @@ Note: Stats commands utilize the Mathematical Calculations as seen below | per_day(x) | rate of field 'x' per day | | per_hour(x) | rate of field 'x' per hour | | per_minute(x) | rate of field 'x' per hour | -| per_second(x) | rate of field 'x' per second | \ No newline at end of file +| per_second(x) | rate of field 'x' per second | +| \| timechart span=1m avg(CPU) by host | Charts the average cpu usage by host each minute | + +## Field Manipulation + +| Command | Results | +|:---- | ----------:| +| fields - x, y | Removes fields x and y from the results | +| fields x y | Keeps only fields x and y | +| fields err* | Keeps all fields that begin with err | +| replace 127.0.0.1 with localhost | Changes all field values of 127.0.0.1 with localhost | +| replace aug with August in start_month end_month | Changes all field values of aug to August in the start_month and end_month fields| +| eval velocity=distance/time | Sets a velocity field which equals distance divided by time | +| eval status = if(error == 200, "OK", "Error") | Sets status to ok if 200 otherwise sets status to Error | +| rex | Allows for Perl Compatible Regular Expressions | + +### Lookups +| Command | Results | +|:---- | ----------:| +| \| lookup dnslookup host OUTPUT ip | Adds the ip to corresponding hosts (host) from the dns lookup. Host must match in the lookup and in the events being searched through. | +| \| inputlookup users.csv | Searches the users.csv lookup table file directly | +| \| outputlookup usertogroup | Writes to the usertogroup lookup table | +| \| outputlookup usertogroup append=True | Appends data to the usertogroup lookup table file |