how to (still) use a wildcard in the middle of a string? - splunk

I am trying to run the following query
index=one /thispath/file*.pdf
I know that using wildcards in the middle of a string is not recommended, but I have too many different files: file001.pdf, fileabc.pdf and others.
What can I do? I am more worried about bogus results than processing speed.
Thanks!

It's not recommended, but it works. Just do it.
index=one "/thispath/file*.pdf"

I think you could do this one of 3 ways, actually, depending on your needs:
| makeresults | eval field="/thispath/fileone.pdf"
tell splunk to look for both the beginning and end of something
| search field="/thispath/file*" AND field="*.pdf"
filter after the event search using wildcards
| where like(field, "/thispath/file%.pdf")
filter after the event search using regex
| where match(field, "/thispath/file.*.pdf")

Related

How do I transform array in search or elsewhere in dashboard

I have a search that is working fine
index=event_db environment=prod release = 2020150015
| timechart count as Events
However, I'd like to modify this to search for any release in an array of releases. I'm aware of the "in" operator.
The catch is that the array of releases I've been provided ("Releases") is formatted slightly differently like so:
[ver2020.15.0015, ver2020.15.0016, ver2020.22.0019] // in general, many more than 3!
Is there a way to use the in operator and some mapping to get
release in
[2020150015, 2020150016, 2020220019] ?
Can this be put in the search?
This is part of a panel so if it's simpler I could have code elsewhere to convert [ver2020.15.0015, ver2020.15.0016, ver2020.22.0019] into [2020150015, 2020150016, 2020220019]
However, as mentioned I'm a newbie so my knowledge of where to put code to transform an array is limited :)
I have a fieldset section and a panel with a query in it.
The "Releases" array is populated in the fieldset section as so:
<input type="text" token="Releases">
<label>Release or Releases</label>
<default>*</default>
</input>
The user enters ver2020.15.0015 or perhaps ver2020.15.*.
I can't just have the user enter 2020150015 as the ver2020.15.0015 format is used elsewhere.
Perhaps there's a way to create new field Releases_Alt right after getting this?
Let me know of any other info I can provide. As I said, I'm new to Splunk so I'm still struggling with terminology.
Try this query. It uses a subsearch to build the IN argument. Subsearches in Splunk run before the main search and the output of the subsearch replaces the subsearch itself.
index=event_db environment=prod release IN (
[ | makeresults
| eval Releases=replace ($Releases|s$, "[ver\.]+","")
| return $Releases ] )
| timechart count as Events
The makeresults command is there because even subsearches have to start with a generating command. makeresults creates a "dummy" event that allows other commands to work.
The eval command does the work of converting release versions into the desired format. Note the use of |s with the Releases token. This construct ensures the contents of the token are enclosed in quotation marks, which is expected by the replace function.
Finally, the return command with $ returns the results of the eval, but without the field name itself. Without it, the subsearch would return releases="2020150015, 2020150016, 2020220019", which wouldn't work.

Questions related to splunk builtin macros in correlation search

I am not sure if this is the appropriate forum to ask this question, but really need help and I am stuck. So here goes : I am exploring splunk enterprise security and was specifically looking into analytic stories and correlation searches.
For example :
Analytic story : Trickbot
Correlation search : Attempt to stop security service
| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = net.exe OR Processes.process_name = sc.exe) Processes.process="* stop *" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|lookup security_services_lookup service as process OUTPUTNEW category, description
| search category=security
| `attempt_to_stop_security_service_filter`
I am trying to understand what exactly this code is doing, but stuck at these macros like security_content_summariesonly, drop_dm_object_name, security_content_ctime, attempt_to_stop_security_service_filter. I can't find definitions for these macros anywhere. I have tried to look into -> settings -> advance search -> macros, but these are not listed there.
Can somebody help ?
If you have access to the host(s) Splunk's running on, you can find the definitions in $SPLUNK_HOME$/etc/*/macros.conf
If you don't have that access, then it's possible you don't have permissions to see the definitions of those macros
However, you can always use the Job Inspector to see how Splunk translates what you type into what it runs
If you have the query in a search window then click on the query and type Shift-CTRL-E to have Splunk expand all of the macros for you.
I can tell you the drop_dm_object_name macro is just rename $1.* as *. The other macros are specific to their app.

How to creat a Splunk bubble diagram from timechart

I am trying to create a bubblechart based on this search, also seen in image below.
source="*wineventlog:security" sourcetype="*wineventlog:security" EventCode=4624 OR 4625 OR 4649 OR 4724 OR 4732 OR 4740| timechart span=1h count(EventCode) by EventCode
I have tried different methods to create something similar to the edited bubblechart image below, but with no success so far. I hope someone here can possibly help me achieve this, if it is even possible?
I can see that i probably would need to get the eventcodes in a own columns, and probably the same with the count...but how?
You've got two issues.
First, the OR has to still be using the field name for the comparisons (EventCode=4724 OR EventCode=4740...). Or you can use EventCode IN("val1","val2"...)
Second, you can simplify the count(EventCode) to count.
Try this:
source="*wineventlog:security" sourcetype="*wineventlog:security" EventCode IN("4624","4625","4649","4724","4732","4740")
| timechart span=1h count by EventCode

Yii url manager rules for certain terms

I need a rule to redirect only certain terms.
'<view:(about)>'=>'site/page/view/<view>',
'<view:(faq)>'=>'site/page/view/<view>',
'<view:(terms)>'=>'site/page/view/<view>',
I cannot use
<view:\w+>'=>'site/page/view/<view>
because i am using another rule for all terms other than this.
So is there any way to write an expression to short the 3 line of code to single one like this.
<view:(about),(faq),(terms)>'=>'site/page/view/<view>
Have you tried this?
<view:(about|faq|terms)>

Selenium "StoreText" to use in other field

Please help,
I want to use the value that i stored using storeText.
My problem is, how do i use this on the other fields of the page?
Thanks in advance!
For example:
I want to get the name of this customer, and verify it on another site if its existing by entering the name on the search field on another site?
See the "Variable substitution" paragraph of the documentation, it even has a nice example of usage for storing a name from multiple fields:
Variable substitution
Variable substitution provides a simple way to include a previously
stored variable in a command parameter. This is a simple mechanism, by
which the variable to substitute is indicated by ${variableName}.
Multiple variables can be substituted, and intermixed with static
text.
Example:
store | Mr | title
storeValue | nameField | surname
store | ${title} ${surname} | fullname
type | textElement | Full name is: ${fullname}
Why don't you get the text from the webelement store it in a global static variable and call the variable in the other test case?