Difference between revisions of "Sumologic Queries"
Jump to navigation
Jump to search
| Line 4: | Line 4: | ||
_dataTier=All AND _sourceCategory=foo AND error | _dataTier=All AND _sourceCategory=foo AND error | ||
``` | ``` | ||
| + | |||
| + | ``` | ||
| + | _index=WinEvent_Security | parse "EventCode = *;" as event_id nodrop | parse regex "Subject:[\s\S]+?Security\sID:\t+(?<user>[^\r]+)" nodrop | parse regex "Subject:[\s\S]+?Caller\sComputer\sName:\t+(?<attempted_by>[^\r]+)" nodrop | parse regex "Subject:[\s\S]+?Account\sName:\t+(?<domain_controller>[^\r]+)" nodrop | parse regex "Network Information[\s\S]+?Source Network Address:[\t](?<ip_addr>[^\n]+)" nodrop | where event_id in ("4625","4624") | where dest_user = "foo" | ||
| + | ``` | ||
| + | |||
| + | https://help.sumologic.com/docs/search/search-cheat-sheets/general-search-examples/ | ||
https://help.sumologic.com/docs/api/search-job/ | https://help.sumologic.com/docs/api/search-job/ | ||
https://api.sumologic.com/api/v1/search/jobs | https://api.sumologic.com/api/v1/search/jobs | ||
Revision as of 18:33, 15 August 2023
_sourceHost=mycollector AND (fail* OR error) _sourceHost=host2 AND (fail* OR error) _dataTier=All AND _sourceCategory=foo AND error
_index=WinEvent_Security | parse "EventCode = *;" as event_id nodrop | parse regex "Subject:[\s\S]+?Security\sID:\t+(?<user>[^\r]+)" nodrop | parse regex "Subject:[\s\S]+?Caller\sComputer\sName:\t+(?<attempted_by>[^\r]+)" nodrop | parse regex "Subject:[\s\S]+?Account\sName:\t+(?<domain_controller>[^\r]+)" nodrop | parse regex "Network Information[\s\S]+?Source Network Address:[\t](?<ip_addr>[^\n]+)" nodrop | where event_id in ("4625","4624") | where dest_user = "foo"
https://help.sumologic.com/docs/search/search-cheat-sheets/general-search-examples/