Scribd
Upload
106 views9 pages

The Search Pipeline: - Relies Heavily On The Unix Pipe Operator

The document discusses the search pipeline in Splunk and how to break down searches and visualize data using commands like timechart and stats. It includes an example search pipeline that searches Windows event logs for failed login attempts and visualizes the results by user over time.

Uploaded by

Kancharla
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
106 views9 pages

The Search Pipeline: - Relies Heavily On The Unix Pipe Operator

The document discusses the search pipeline in Splunk and how to break down searches and visualize data using commands like timechart and stats. It includes an example search pipeline that searches Windows event logs for failed login attempts and visualizes the results by user over time.

Uploaded by

Kancharla
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 9

The Search Pipeline >

• Relies heavily on the Unix pipe operator |

© Adam Frisbee, adamfrisbee.com, Image from Splunk.com


The Search Pipeline >
Broad search Keywords/booleans/fields Commands Table / Viz
host=myhost fail OR failure count Table
sourcetype=csv locked sum timechart
user=b123 eval

11010101
11010101 1101
00001001 1101
00001001 0101
11011101 0101
11011101 1111
01111010

The data we want


A lot of data
The format we want

© Adam Frisbee, adamfrisbee.com


The Search Pipeline >
sourcetype=WinEventLog:Security EventCode=4625 user=* | timechart span=1h
count(EventCode) by user

Let’s break this down


sourcetype=WinEventLog:Security EventCode=4625 user=*
• I am searching for a specific source type. This source type was created by a Splunk App
for Windows.
• The source type I am searching for is the Security portion of the WinEventLog.
• I am also narrowing my search to one specific event code: 4625, which is a failed log on.
• Finally, I want to include all the user names because I know I am going to use this field
later to build a table or visualization.

© Adam Frisbee, adamfrisbee.com, Image from Splunk.com


The Search Pipeline >
sourcetype=WinEventLog:Security EventCode=4625 user=* | timechart span=1h
count(EventCode) by user

Let’s break this down


| timechart span=1h count(EventCode) by user
• I am ”piping” the previous data into a timechart command.
• By using the span=1hr statement, I am forcing the chart to have one hour increments.
• Next, I am counting the EventCode (which is what I searched for before the pipe).
• Finally, I want the data analyzed by user.

© Adam Frisbee, adamfrisbee.com, Image from Splunk.com


The Search Pipeline >
sourcetype=WinEventLog:Security EventCode=4625 user=* | timechart span=1h
count(EventCode) by user

© Adam Frisbee, adamfrisbee.com


The Search Pipeline >
sourcetype=WinEventLog:Security EventCode=4625 user=* | stats
count(EventCode) by user

© Adam Frisbee, adamfrisbee.com


The Search Pipeline >
sourcetype=WinEventLog:Security EventCode=4625 user=* | stats
count(EventCode) by user _time | table _time user count(EventCode) | sort
-_time

© Adam Frisbee, adamfrisbee.com


The Search Pipeline >

sourcetype=WinEventLog:Security EventCode=4625 user=* | stats count(EventCode) by user _time | table _time


user count(EventCode) | sort -_time

11010101
11010101 1101
00001001 1101
00001001 0101
11011101 0101
11011101 1111
01111010

The data we want


A lot of data
The format we want

© Adam Frisbee, adamfrisbee.com


Thanks, Splunkers!

You might also like