There is a way to use CIDR range in kusto? the code below only works if i remove the /24..
let whiteList = dynamic (["192.168.2.0/24", "192.168.1.0/24"]); // setup a whitelist of range IP
OfficeActivity
| where Operation == "MailboxLogin"
| where ClientIP in (whiteList)
| summarize count=count() by UserId
any solution please ?
You can use this:
let WhiteList= #'^192\.168\.1|^192\.168\.2'; // put your internal networks
OfficeActivity
| where Operation == "MailboxLogin"
| extend IswhiteList = iff(ClientIP matches regex WhiteList,"whiteList" ,"none" )
| where IswhiteList == "whiteList"
| summarize count=count() by UserId
Take a look at parse_ipv4()
https://learn.microsoft.com/en-us/azure/kusto/query/parse-ipv4function
It looks like it should do what you need.
More IPv4 functions listed here:
https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/scalarfunctions#ip-v4-functions
Related
I have a Splunk Dashboard. This dashboard has a Text input where the user can enter a path. After entering the input, I would like to apply some conditional logic to the path input by the user before the search is executed. Is this possible in Splunk? Is there a way for me to take the Text input (i.e. path) and do something like:
var parameter1 = "value-a";
if (path == "/endpoint-1")
parameter1 = "value-b";
else if (path == "/endpoint-2")
parameter1 = "/endpoint-3";
// Execute search with parameter1
Thank you.
Subsearches!
Eg:
index=data [
| makeresults 1
| eval path="$inputToken$"
| eval parameter1=case(
path="/endpoint-1","value-b,
path="/endpoint-2","/endpoint-3")
| fields parameter1
| format]
the subsearches are run before the main search, and alter that main search.
the main search here after the subsearch would be something like.
index=data parameter1="value-b"
Related reading to help on your sub search journey
https://docs.splunk.com/Documentation/Splunk/latest/SearchTutorial/Useasubsearch
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Format
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Return
I have the following query which provides me with all the data I need exported but I would like text '' removed from my final query. How would I achieve this?
| where type == "microsoft.security/assessments"
| project id = tostring(id),
Vulnerabilities = properties.metadata.description,
Severity = properties.metadata.severity,
Remediations = properties.metadata.remediationDescription
| parse kind=regex id with '/virtualMachines/' Name '/providers/'
| where isnotempty(Name)
| project Name, Severity, Vulnerabilities, Remediations ```
You could use replace_string() (https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/replace-string-function) to replace any substring with an empty string
I am trying to use has_any in sentinel to pass a list (comma delimited) of IPs to a query in a workbook.
The IP values will be passed into the query from a workbook parameter that the user enters.
With the below test code, if I use BadIPList variable for the has_any expression, I get the error "has_any(): failed to cast argument 2 to scalar constant"
If I use BadIPList2 it works fine, although they should be the same once I convert BadIPList to a Dynamic type.
let StartTime = "2022-08-07";
let TimeOffset = 4d;
let BadIPList = '10.1.1.100,10.1.1.102,10.1.1.110,10.1.1.120';
let BadIPlist2 = dynamic(['10.1.1.100','10.1.1.102','10.1.1.110','10.1.1.120']);
DeviceNetworkEvents
| extend BadIPList=todynamic(split(BadIPList,","))
| where TimeGenerated between (startofday(todatetime(StartTime)) .. endofday(todatetime(StartTime) + TimeOffset))
//next line errors
//| where RemoteIP has_any(BadIPList)
//next line works
| where RemoteIP has_any(BadIPlist2)
| project RemoteIP, BadIPList, BadIPlist2
| take 10
//verify variable types
| extend ipType = gettype(BadIPList), ipType2 = gettype(BadIPlist2)
| getschema
output of BadIPList2
I have checked the types of the two variables (Using gettype and getschema), and they seem to be the same any ideas about what I have done wrong?
DataTypes for variables
As the error message notes, the parameter should be a "scalar constant" (and not a row-level expression)
// Data sample generation. Not part of the solution.
let DeviceNetworkEvents = datatable(RemoteIP:string)["yada yada 10.1.1.102 yada"];
// Solution starts here
let BadIPList = '10.1.1.100,10.1.1.102,10.1.1.110,10.1.1.120';
let BadIPList_split = split(BadIPList, ",");
DeviceNetworkEvents
| where RemoteIP has_any(BadIPList_split)
RemoteIP
yada yada 10.1.1.102 yada
Fiddle
Anyone here knows how can I use built-in functions(case) in a Splunk Query? All examples I found were to handle the query results (I can not put it after eval or | )
I need something like.
index=case(indexVar == "qa", "qa-all", indexVar == "prod", "prod-all") sourcetype="kube:container:rail-service"
OBS I can not just concat the indexVar + "-all"
The case function may be built-in, but that doesn't mean you can use it anywhere. It's only valid with the eval, fieldformat, and where commands.
A workaround would be to put the eval in a subsearch.
sourcetype="kube:container:rail-service" [
| makeresults
| eval index=case(indexVar == "qa", "qa-all", indexVar == "prod", "prod-all")
| fields index ]
after searching through the whole www I finally ended up here with a question and hopefully more capable responders than I am.
I am trying to implement a full text search on my webpage.
The Sql query works with one WHERE condition but not with several. Unfortunately I have no clue how to solve my problem with the help of EXIST / IN / INNER JOIN or other Operators.
Code which works:
$sql = "SELECT * FROM artikel WHERE author LIKE '$suchtext' LIMIT $offset, $no_of_abs";
Code which doesnt work:
$sql = "SELECT * FROM artikel WHERE (author OR shorty OR vollartikel) LIKE '%$suchtext%' LIMIT $offset, $no_of_abs";
The variable $suchtext is correctly passed and received through jquery $ajax POST and my php script.
Example goal:
author | volltext | shorty
--------+-------------+---------
tulum | tul | asf
rae | zutotu | vizetu
$suchtext is "tu"
Results: 2
Row1 & Row2
I appreciate any answers.
Solution:
$sql = "SELECT * FROM artikel WHERE author LIKE '%$suchtext%' OR shorty LIKE '%$suchtext%' OR vollartikel LIKE '%$suchtext%' LIMIT $offset, $no_of_abs";
LIKE is a binary operator that takes two strings. OR is a boolean operator that operates on boolean values.
You need to explicitly list this out:
(author LIKE ? OR
shorty LIKE ? OR
vollartikel LIKE ?
)
Note that this uses ? as a parameter placeholder. Use parameters when constructing SQL queries in applications.