The map command in Splunk is a powerful tool that enables executing secondary searches based on the results of a primary search. This capability allows for dynamic, nested investigations, making it particularly useful in cybersecurity for uncovering indicators of compromise (IOCs) or analyzing specific user activity patterns. Example of using – we can make the […]
In some scenarios, you may need to save the results of a search into another index—for example, to reuse the data for correlation or trend analysis. The collect command in Splunk allows you to write search results into a summary index for long-term storage or faster analysis. Example: Aggregate Failed Login Attempts Suppose you want […]
Step 1:Write a Query to Monitor Multiple Sources Identify the log sources you want to monitor. Create a Splunk search query that checks for events from those sources within a specific timeframe. Example query: Query without additional fields Query with additional fields “message” For example, on the screenshot, I set two hosts to monitor and […]
When possible, use datamodels, they are generally your best bet for speed. However, not everything in your Splunk will be in a datamodel, and you may require a good-old-fashioned index based search. This may come as a surprise, as it is counter intuitive but often using a token in an index based search will absolutely […]
Within splunk we use “stats” and “tstats” a bunch as threat hunters. However, these useful operations can cause interesting events to be dropped unexpectedly. For instance: index=windows sourcetype=*winevent* AND EventCode=4688 AND NewProcessName=*Evil.exe| stats count by ComputerName, ParentProcessName, NewProcessName, CommandLine CommandLine is a field in 4688 events that needs to be enabled via “group policy”. So, […]
When you find yourself constantly reusing certain strings of Splunk commands, it can be a lot easier to represent those commands as a single line of code that can accept positional arguments and serve the same functions as a set of commands you find yourself using often. This is the purpose of a Splunk macro […]
Sometimes when working with new log sources or unfamiliar event records being shipped to Splunk, you’ll encounter logs with important details that could be more useful if you had them captured in a field. The entirety of the text in an event can be found in the _raw field but specific details found in the […]
1) Add to transforms.conf stanza: 2) Create field_from_sourcetype.csv file with wildcards and put it to lookups folder: As result – field_name will be populated based on list with wildcards:
Often, especially when providing context to analysts who are responsible for triaging alerts, it is useful to provide all of the context that a cloud provider nests in a big json blob as just a single field. You can use the splunk operation “spath” to accomplish this goal. Note: if you have trouble manipulating the […]
In the previous article I have demonstrated how to create a simple dashboard that monitors accessibility of sources in Splunk. Today I want to demonstrate you how to make any table in the dashboard more obvious and convenient. Let’s look at my last article and continue to improve the functionality of the table that I […]