[Zeek] [External] Some troubles with Corelight's Splunk app using Zeek 3.0.2
Kevin Czarnecki
kczarnec at pppl.gov
Tue Mar 3 09:52:18 PST 2020
Are you using a Corelight sensor or Zeek? I've found some field names are
different on different devices. (id_orig_h vs. id.orig_h).
I had to do a fair bit of "massaging" of the searches to get them working
with different field and index names.
On Mon, Mar 2, 2020 at 6:47 AM Carlos Lopez <clopmz at outlook.com> wrote:
> Good morning,
>
> I've been using the Corelight's Splunk application for several days now
> with only one sensor and everything works fine except for the "Data
> Exploration/Connections" view. It never shows me any results, it always
> shows "No results found". I have been debugging the searches with the
> option "inspect" and it is correct: none of those searches can return
> results.
>
> An example: for Top Services view, Corelight's app performs the following
> search:
>
> search (NOT sensor_name!="*" id_orig_h="*" id_orig_p="*" id_resp_h="*"
> id_resp_p="*" NOT is_broadcast="true" service="*" (eventtype=bro_conn OR
> eventtype=corelight_conn)) | top service limit=15
>
> and without result. But If I use the following search in Splunk's general
> view:
>
> search (NOT is_broadcast="true" (eventtype=corelight_conn)) | top service
> limit=15
>
> I get results as you can see in the screenshot attached.
>
> Am I doing something wrong or is it a bug?
>
> Many thaks
>
>
>
> Regards,
> C. L. Martinez
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200303/406730a5/attachment.html
More information about the Zeek
mailing list