We have got squid proxy logs that are compared with the threat lists in splunk ES.
It works fine, but on the list on splunk ES Advanced Threat - Threatlist Activity - Threat Activity Details we only see ip addresses in the dest field.
![alt text][1]
In the log events of squid I also have the URL, which is much more human readable.
What I want is to add the field uri_host also to my data in the index=threat_activity.
It looks like the index is filled by the a saved search: Threat - Source And Destination Matches - Threat Gen
The data looks like:
11/27/2015 14:15:00 +0100, search_name="**Threat - Source And Destination Matches - Threat Gen**", search_now=1448630100.000, info_min_time=1448622000.000, info_max_time=1448630100.000, info_search_time=1448630114.038, dest="xxx.xxx.xx.xxx", orig_sourcetype="cisco:asa", src="yyy.yyy.yyy.yyy", threat_collection=ip_intel, threat_collection_key="emerging_threats_ip_blocklist|43.229.52.0/22", threat_key=emerging_threats_ip_blocklist, threat_match_field=src, threat_match_value="43.229.53.53"
The search looks like this:
| `src_dest_tstats("allowed")` | `truncate_domain_dedup(src)` | `truncate_domain_dedup(dest)` | `threatintel_multilookup(src)` | `threatintel_multilookup(dest)` | search threat_collection_key=* | fields - count | `zipexpand_threat_matches` | fields sourcetype,src,dest,threat*
I tried to add just | fields sourcetype,src,dest, **uri_host,** threat* but this is not working.
Does anybody have a description of this macros? Or where can I find them to adjust them?
[1]: /storage/temp/73240-threatlist.png
↧