If you run this search now, you will see a unique key is placed in any rows that have a matching entry in the lookup we created. | lookup last_windows_events EventCode, LogName, Type OUTPUTNEW _key AS viewKey Modify the search in step 2 as follows: index=main host=* host="DISCOVERED-INTELLIGENCE" sourcetype="WinEventLog*" earliest=-24h Got that? That’s ok if you didn’t – let’s continue and you will probably get it. To do this, we are actually going to use this newly created lookup in the search to enrich the data with the hidden _key field, then we are going to update the lookup where the _key fields match. Let’s now amend our search so it updates only the rows that need updating, save it and schedule it to run daily. Ok, so we now have our shiny new KV lookup working. You could even delete the old CSV file at this point if you wanted as we are now done with it.ħ. Yes, the results are identical, but trust me – you are now using the KV store for your lookup. Your new KV Store lookup is now created and you can test it with the same Splunk search as before: | inputlookup last_windows_events We need to add this as a field as in the illustration below. We are going to use this field to identify which rows we want to update in future runs of our search. In addition, KV Store lookups in Splunk come with a hidden field called _key, which is a unique identifier of the each row in the lookup. You will now see all the field names in the lookup are automatically populated for you – bonus! Enter the Collection Name with exactly the same name you entered into nf in step 1. Now, lets go back to the Lookup definitions screen again and edit the lookup we just created. You should see the results being displayed.ĥ. Your regular lookup is now created and you can test it with the following Splunk search: | inputlookup last_windows_events Now, we could select a type of KV Store from the drop down list, but we are taking the lazy approach and do not want to enter field names etc.Ĥ. Then click the New button and enter in the details, selecting the File-based lookup as in the diagram below and hit Save when done. Navigate to Settings –> Lookups –> Lookup definitions. I will remove this point, once the issue is remediated.ģ. Note – there is currently an issue with case and KV Store lookups in Splunk – this is why we have converted the text fields to lowercase before writing to the lookup. This search essentially creates our old-school regular CSV lookup and searches over the past 24hrs details every windows event code for the past 24hrs and the last time we last saw each event. | eval LogName=lower(LogName) | eval Type=lower(Type) | stats latest(_time) as LastEvent by LogName EventCode Type Now we are going to create a regular lookup that counts Windows Events by event_id using a search like this: index=main host=* host="DISCOVERED-INTELLIGENCE" sourcetype="WinEventLog*" earliest=-24h Everything else can be done via the GUI.Ģ. This is the only part of this exercise where you will be touching back-end conf files. Into this file enter the name of your lookup as follows: In SPLUNK_HOME/etc/system/local (or similar) create a new conf file called nf. In this case, we are going to use the lookup to track windows events, so we are going to call the lookup last_windows_events. The first step in the process is to think of a name for your lookup. For example, perhaps you want to keep track of user logins or authentications.įor this exercise, we are going to track the last time we saw each Windows Event ID in our Windows Event logs and update any rows in the lookup on a daily basis if a newer event has been detected. To do this, we are going to create a regular CSV lookup, then convert it to a KV store lookup – mainly because it is much simpler to do this and it can *mostly* be performed from the Splunk Search Head GUI.ġ. State tables are extremely useful from an operational or security perspective to keep track of the last time something occurred. Better yet, unlike regular Splunk CSV lookups, you can actually update individual rows in the lookup without rebuilding the entire lookup – pretty cool! In this article, we will show you a quick way of how you can leverage the KV store as a lookup or state table. The Splunk KV store leverages MongoDB under the covers and among other things, can be leveraged for lookups and state tables. As of Splunk 6.2, there is a Key-Value (KV) store baked into the Splunk Search Head.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |