![]() ![]() ![]() Now we are going to create a regular lookup that counts Windows Events by event_id using a search like this: index=main host=* host="DISCOVERED-INTELLIGENCE" sourcetype="WinEventLog*" earliest=-24h Everything else can be done via the GUI.Ģ. This is the only part of this exercise where you will be touching back-end conf files. Into this file enter the name of your lookup as follows: In SPLUNK_HOME/etc/system/local (or similar) create a new conf file called nf. In this case, we are going to use the lookup to track windows events, so we are going to call the lookup last_windows_events. ![]() The first step in the process is to think of a name for your lookup. For example, perhaps you want to keep track of user logins or authentications.įor this exercise, we are going to track the last time we saw each Windows Event ID in our Windows Event logs and update any rows in the lookup on a daily basis if a newer event has been detected. To do this, we are going to create a regular CSV lookup, then convert it to a KV store lookup – mainly because it is much simpler to do this and it can *mostly* be performed from the Splunk Search Head GUI.ġ. State tables are extremely useful from an operational or security perspective to keep track of the last time something occurred. Better yet, unlike regular Splunk CSV lookups, you can actually update individual rows in the lookup without rebuilding the entire lookup – pretty cool! In this article, we will show you a quick way of how you can leverage the KV store as a lookup or state table. The Splunk KV store leverages MongoDB under the covers and among other things, can be leveraged for lookups and state tables. As of Splunk 6.2, there is a Key-Value (KV) store baked into the Splunk Search Head. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |