Using Fields.md

Using Fields

SecOps wants a list of authentication failure events associated with admin roles over the last 60 minutes

Search for all failed logins containing username that begins with "admin"

index=security sourcetype=linux_secure failed invalid user=admin*

Events from online sales that encountered a server problem (status>399) over the last 4 hours

index=web sourcetype=access_combined action=purchase status>399 
| table clientip host status

Renames clientip field to "Customer IP", host field to "Web Server", and status field to "HTTP Status"

index=web sourcetype=access_combined action=purchase status>399 
| table clientip host status 
| rename clientip as "Customer IP", host as "Web Server", status as "HTTP Status"

SecOps wants to see a count of event descriptions by port from all web server events over

the past 7 days.

Search web server events over the last 7 days that contain the keyword "port"

index=security sourcetype=linux_secure port

Extracts temporary fields and include events based on pattern matching

index=security sourcetype=linux_secure port
| erex event_description examples="Failed password , Accepted password "

index=security sourcetype=linux_secure port 
|  erex event_description examples="Failed password , Accepted password " 
| stats count(src_port) by event_description

Create a new field called "port" and provide it with 3 port examples, then count port values:

index=security sourcetype=linux_secure port 
| erex port examples="22,1229,1268"
| erex event_description examples="Failed password , Accepted password " 
| stats count(port) by event_description

Replace 'erex' command with Splunk recommended 'rex' commands

index=security sourcetype=linux_secure port
| rex "(?i)0(?P<port>[^ ]+)"
| rex "(?i)^[^\]]*\]:\s+(?P<event_description>\w+\s+\w+)"
| stats count(port) by event_description