Splunk básico - 10 Comando Where e Search



Definição:

Where: O comando where usa (predicate-expressions) para filtrar os resultados da pesquisa. Uma expressão de predicado, quando avaliada, retorna VERDADEIRO ou FALSO. O comando where retorna apenas os resultados avaliados como TRUE; e

Search: Pesquisa os índices do Splunk para eventos correspondentes.

Ref:

https://docs.splunk.com/Documentation/SCS/current/SearchReference/WhereCommandOverview

https://docs.splunk.com/Documentation/SCS/current/SearchReference/SearchCommandExamples

Lista de comandos:

index=main sourcetype=access_combined_wcookie
| table _time method uri_path uri status action
| search status = 404

index=main sourcetype=access_combined_wcookie
| table _time method uri_path uri status action
| search status != 200

index=main sourcetype=access_combined_wcookie
| table _time method uri_path uri status action
| search status = 40*

index=main sourcetype=access_combined_wcookie
| table _time method uri_path uri status action
| where status = 404

index=main sourcetype=access_combined_wcookie
| table _time method uri_path uri status action
| where isnotnull(action)

index=main sourcetype=access_combined_wcookie
| table _time method uri_path uri status action
| where like(status, “40%”)

#Splunk​​​​
#CyberSecurity​​​​
#Blueteam​​​​
#Redteam​​​​
#TI​​​​
#TecnologiaDaInformacao

source

4 thoughts on “Splunk básico – 10 Comando Where e Search”

Leave a Reply

Your email address will not be published.

Captcha loading...