Stats produces statistical information by looking a group of events. the flow of a packet based on clientIP address, a purchase based on userID. Mar 9 07:27:39 10.xxx.yyy.61 Mar 9 07:27:39 10.xxx.yyy.61 TH2PE1: 525776 Base OSPF-WARNING-tmnxOspfNgNbrStateChange-2042 : LCL_RTR_ID 10.xxx.yyy.61: Neighbor 10.aaa.bbb.1 on if-MTP1-1 router state changed to down (event BFD_DOWN) Transaction marks a series of events as interrelated, based on a shared piece of common information. Correlate based on time, location, or custom search results. | eval "Duree Perte"=tostring(duration,"duration") Splunk makes it easy to find relationships between events or activities. | convert timeformat="%d/%m/%Y %H:%M:%S" ctime(end_Time) as Fin | convert timeformat="%d/%m/%Y %H:%M:%S" ctime(start_Time) as Debut Executing this command: wmic /node: IP address process call create 'cmd.exe /c calc.exe' yields two events similar to this (username and IP information purposely omitted): An account was successfully logged on. | transaction host VoisinIP Interface startswith=eval(eventtype="ospf_down" OR eventtype="ospf_down_if") endswith=eval(eventtype="ospf_full") | eval end_Time=if(eventtype="ospf_full",_time,null()) | eval start_Time=if(eventtype="ospf_down" OR eventtype="ospf_down_if",_time,null()) Host="10.xxx.yyy.*" ospf eventtype="ospf_down*" OR eventtype="ospf_full" Base Here is my search to determine transactions:
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |