I don't have a preference on which to use, I just need to be able to use the lookup efficiently for this search. It seems that WHERE and IN are not the correct clauses to use when using lookups? I am not sure ... View more

thank you so much for your help and for sharing the resources, I will go through them.   I ran the search  but I am getting the following error message: "Right hand side of IN must be a collection of literals. '(range = "10.0.0.0/8")' is not a literal The search job has failed due to an error..." I got this error before, I assumed that when using lookups the WHERE IN clause needs to be changed for something else maybe? not sure =/  thanks in advanced! ... View more

| tstats summariesonly=true allow_old_summaries=true values(All_Traffic.dest_port) as dest_port values(All_Traffic.protocol) as protocol values(All_Traffic.action) as action values(sourcetype) as sourcetype from datamodel=Network_Traffic.All_Traffic |search NOT (All_Traffic.src_ip [|inputlookup internal_ranges.csv ])    Thank you so much!! Your second option yielded the correct results. Do you mind helping me with the other portion please? also, if you know where I can find documentation that can better help me understand lookups for these kinds of searches, that would be appreciated. I am new with Splunk and as much as I like it, I find it challenging at times.  ... View more

What I need help with is how to use lookups tables for the IPs in this search. I have several rules similar to this one but I can't add any IPs inline, I have to use lookups for those.    Below is how I am writing it but it's obviously wrong. Thanks | tstats summariesonly=true allow_old_summaries=true values(All_Traffic.dest_port) as dest_port values(All_Traffic.protocol) as protocol values(All_Traffic.action) as action values(sourcetype) as sourcetype from datamodel=Network_Traffic.All_Traffic |search NOT (All_Traffic.src_ip [|inputlookup internal_ranges.csv |]) AND (All_Traffic.dest_ip [|inputlookup internal_ranges.csv |]) AND (All_Traffic.action="allow*") by _time All_Traffic.src_ip All_Traffic.dest_ip | `drop_dm_object_name(All_Traffic)` | lookup ip_iocs.csv ioc as src_ip OUTPUTNEW last_seen | append [| tstats summariesonly=true allow_old_summaries=true values(All_Traffic.dest_port) as dest_port values(All_Traffic.protocol) as protocol values(All_Traffic.action) as action values(sourcetype) as sourcetype from datamodel=Network_Traffic.All_Traffic where (All_Traffic.src_ip IN [|inputlookup internal_ranges.csv |]) AND NOT (All_Traffic.dest_ip IN [|inputlookup internal_ranges.csv|]) AND NOT (All_Traffic.protocol=icmp) by _time All_Traffic.src_ip All_Traffic.dest_ip | `drop_dm_object_name(All_Traffic)` | lookup ip_iocs.csv ioc as dest_ip OUTPUTNEW last_seen] | where isnotnull(last_seen) | head 51     ... View more

thank you. It worked.  ... View more

  Hi, my apologies for not being more specific. The query I provided was modified for security reasons. I am indeed replacing the placeholders like "foo"  with the correct indexes, plus the rest of the required data( host names etc.) Thank you. ... View more

Hello, Thank you so much. The event IDs listed are all regarding changes to the system. This report would be the "report that shows Changes to System Sec Config events". Regarding all logs, we have identified the specific ones.  I am running the query you suggested but it's not giving any results. No error messages. Thanks again! 🙂 index=foo eventid IN (4727, 4728, 4729, 4730, 4731, 4732, 4733, 4734, 4735, 4736, 4737, 4740, 4754, 4755, 4756, 4757, 4758, 4759, 4783, 4784, 4785, 4786, 4787, 4788, 4789, 4791, 631)  | fields user, action, subject, ProcessName | stats min(_time) as FirstEvent max(_time) as LastEvent count by user, _time, action, subject, ProcessName AND NOT User IN (list_of_users ) AND User_Impacted != (AD_Group) | where NOT (match(Host_Impacted, "sc") OR match(Host_Impacted, "sd") OR match(Host_Impacted, "^sc.+") OR match(Host_Impacted, "^sd.+")) | table User, _time, EventID, Group, Host, Host_Impacted, Login, VendorMsgID, Domain Impacted) | stats values(*) as * by User ... View more

Thanks a lot! ... View more

It worked. Thank you!! ... View more

Hi, thank you. I had it wrong actually, my apologies. What I need is to identify the log paths that are actively used on the logbinder servers.  How do I locate these paths using search and reporting this is my query so far: index=xxx servername source="xlmwindevenlog:security"     Thanks again! ... View more

Thanks a lot! This was very helpful and exactly what I needed. I appreciate you sharing the documentation links as well, been reading through it.  ... View more

Thank you so much. It worked!  The only problem  I am facing now is that for some reason when I use that query(earliest=-d@d latest=@d), the "user" field shows up as a dollar sign ($) instead of the name of the user. Do you know what why? *I was asked to group it by time but would like to know how to show the first or last time of the failed login for my own knowledge. Thanks again! ... View more

Thank you. I need to collect and generate a syslog report that shows login failure events occurred on the previous day, grouped by source user This is all I have been able to come up with so far:    index=WinEventLog* EventID=4625 Earliest=-24 | stats count by user, _time, action, subject, message ... View more

Thank you. I need to collect and generate a syslog report that shows login failure events occurred on the previous day, grouped by source user This is all I have been able to come up with so far:    index=wineventlog* eventid=4625 earliest=-24 | stats count by user, _time, action, subject, message ... View more