1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
|datamodel |rex field=_raw "\"description\":\"(?<Description>\w+|\w+\s+\w+|\w+\s+\w+\s+\w+|\w+\s+\w+\s+\w+\s+\w+\s+\w+|\w+\s+\w+\s+\w+\s+\w+\s+\w+\s+\w+|\w+\s+\w+\s+\w+\s+\w+\s+\w+\s+\w+\s+\w+)\"\," |rex field=_raw "\"modelName\":\"(?<DataSetName>\w+|\w+\s+\w+|\w+\s+\w+\s+\w+)\"\," |rex field=_raw "\"parentName\":\"(?<ParentName>\w+|\w+\s+\w+|\w+\s+\w+\s+\w+)\"\," |rex field=_raw "\"autoextractSearch\":(?<SearchDetails>.*\")\,\"previewSearch.*" |table Description DataSetName SearchDetails |eval SearchDetails=replace(SearchDetails,",\"previewSearch.*","") |fillnull Description value="Description not available" |
Find success login after 10 failures with streamstats
If you have the Authentication data model configured you can use the following search to quickly find successful logins after 10 failed attempts!
1 2 3 4 5 |
| from datamodel:"Authentication"."Authentication" | search action=failure or action=success | reverse | streamstats window=0 current=true reset_after="(action=\"success\")" count as failure_count by src | where action="success" and failure_count > 10 |
Search Traffic by Source IP
GoSplunk Admin Notes: If you have a data model enabled that matches the search below, this might work for you!
1 |
| datamodel Network_Traffic All_Traffic search | search All_Traffic.src_ip=10.x.x.x | stats count by All_Traffic.src_ip, All_Traffic.dest,All_Traffic.action, dstcountry | dedup All_Traffic.dest |