Difference between revisions of "Sumologic Queries"
Jump to navigation
Jump to search
| (5 intermediate revisions by the same user not shown) | |||
| Line 2: | Line 2: | ||
_sourceHost=mycollector AND (fail* OR error) | _sourceHost=mycollector AND (fail* OR error) | ||
_sourceHost=host2 AND (fail* OR error) | _sourceHost=host2 AND (fail* OR error) | ||
| + | _dataTier=All AND _sourceCategory=foo AND error | ||
``` | ``` | ||
| + | |||
| + | ``` | ||
| + | _index=WinEvent_Security | parse "EventCode = *;" as event_id nodrop | parse regex "Subject:[\s\S]+?Security\sID:\t+(?<user>[^\r]+)" nodrop | parse regex "Subject:[\s\S]+?Caller\sComputer\sName:\t+(?<attempted_by>[^\r]+)" nodrop | parse regex "Subject:[\s\S]+?Account\sName:\t+(?<domain_controller>[^\r]+)" nodrop | parse regex "Network Information[\s\S]+?Source Network Address:[\t](?<ip_addr>[^\n]+)" nodrop | where event_id in ("4625","4624") | where dest_user = "foo" | ||
| + | ``` | ||
| + | |||
| + | ``` | ||
| + | (((((_index=ad_security OR _index=AD_WinEventSecurity or _index=WinEvent_Security) AND (event_id = "4624"))))) | ||
| + | | parse regex "Network Information:[\s]+Workstation Name:[\t](?<workstation>[^\r]+)" nodrop | ||
| + | | where (user = "myuser" and workstation = "MYHOST") | ||
| + | ``` | ||
| + | |||
| + | ``` | ||
| + | (((((_index=ad_security OR _index=AD_WinEventSecurity or _index=WinEvent_Security) AND (event_id = "4624"))))) | ||
| + | | parse regex "Network Information:[\s]+Workstation Name:[\t](?<workstation>[^\r]+)" nodrop | ||
| + | | where (user = "myuser" and workstion != "-") | ||
| + | ``` | ||
| + | |||
| + | https://help.sumologic.com/docs/search/search-cheat-sheets/general-search-examples/ | ||
| + | |||
| + | https://help.sumologic.com/docs/api/search-job/ | ||
| + | |||
| + | https://api.sumologic.com/api/v1/search/jobs | ||
Latest revision as of 15:56, 30 August 2023
_sourceHost=mycollector AND (fail* OR error) _sourceHost=host2 AND (fail* OR error) _dataTier=All AND _sourceCategory=foo AND error
_index=WinEvent_Security | parse "EventCode = *;" as event_id nodrop | parse regex "Subject:[\s\S]+?Security\sID:\t+(?<user>[^\r]+)" nodrop | parse regex "Subject:[\s\S]+?Caller\sComputer\sName:\t+(?<attempted_by>[^\r]+)" nodrop | parse regex "Subject:[\s\S]+?Account\sName:\t+(?<domain_controller>[^\r]+)" nodrop | parse regex "Network Information[\s\S]+?Source Network Address:[\t](?<ip_addr>[^\n]+)" nodrop | where event_id in ("4625","4624") | where dest_user = "foo"
(((((_index=ad_security OR _index=AD_WinEventSecurity or _index=WinEvent_Security) AND (event_id = "4624"))))) | parse regex "Network Information:[\s]+Workstation Name:[\t](?<workstation>[^\r]+)" nodrop | where (user = "myuser" and workstation = "MYHOST")
(((((_index=ad_security OR _index=AD_WinEventSecurity or _index=WinEvent_Security) AND (event_id = "4624"))))) | parse regex "Network Information:[\s]+Workstation Name:[\t](?<workstation>[^\r]+)" nodrop | where (user = "myuser" and workstion != "-")
https://help.sumologic.com/docs/search/search-cheat-sheets/general-search-examples/