Splunk® App for PCI Compliance

User Manual

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Splunk® App for PCI Compliance. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Search macros

The Splunk App for PCI Compliance includes a variety of search macros that can be used to create custom searches and notable events. Search macros can be found in the /default directory of the Domain Add-ons (DA) and Supporting Add-ons (SA) listed here.

Some of these search macros provide data. For example:

`authentication`
`malware`
`ids_attack`
`communicate`
`get_summary`
`get_category`

Some search macros bring in lookup table data. For example:

`assets`
`identities`
`categories`

Other search macros perform lookups. For example:

`get_asset`
`get_identities4events`
`get_correlationsearches`

There are also utility search macros. For example:

`ctime(<timestamp>)`
`get_vendor_product`
`uitime`
`uptime2string`

The back ticks (`) denote the start and the end of a search macro definition when used in the Splunk search language. The values (<timestamp>) following the search macro name denote the type and number of arguments used with the macro. Overloaded macros are macros with the same name, but a different number of required arguments.

To learn more about the syntax used in macros see "Define search macros in Settings" and "macros.conf" in the Splunk Enterprise documentation.

Access Protection

These search macros are part of SA-AccessProtection.

Search macro Intended purpose Expected data types
`authentication` used to report on access events system access logs, such as ssh, Windows, or database audit
`authentication(<action>)` used to validate success or failure of authentication access system access logs, such as ssh, Windows, or database audit
`account_management` used to report on account management events, such as Create, Update, or Delete actions system audit logs, such as Active Directory or OpenLDAP
`default_local_accounts` used to report usage of default local accounts Special user accounts table and system access logs

Audit and Data Protection

These search macros are part of SA-AuditAndDataProtection.

Search macro intended purpose expected data types
`splunkd_utilization` reports resource utilization of the Splunk data engine process Splunk's internal logs
`splunkd_startmode` reports start mode of the Splunk data engine process Splunk's internal logs
`index_thruput(<data_source>)` reports throughput of data by index, source, sourcetype, or host Splunk's internal logs (metrics.log)
`license_info` reports license utilization level Splunk's internal logs (license_audit.log)
`search_activity` reports search audit activity Splunk's internal logs (_audit index)
`view_activity` reports usage of Splunk apps Splunk's internal logs (_internal index, sourcetype splunk_web_access
`audit_validation` reports audited events for validation testing Splunk's internal logs (_audit index)

Endpoint Protection

These search macros are part of SA-EndpointProtection.

Search macro intended purpose expected data types
`cputime` report all processor usage level records performance monitoring data, such as data from Windows or Unix endpoints
`cputime(<machine_name>)` report all processor usage level records for a single machine (cputime(ACME-001)) performance monitoring data, such as data from Windows or Unix endpoints
`cputime(<machine_name>, <top_N_processor_usage_records>)` report the top N processor usage level records for a single machine (cputime(ACME-001,10)) performance monitoring data, such as data from Windows or UNIX endpoints
`disk` report all disk space usage level records performance monitoring data, such as data from Windows or Unix endpoints
`disk(<machine_name>)` report all disk space usage level records for a single machine (disk(ACME-001)) performance monitoring data, such as data from Windows or Unix endpoints
`disk(<machine_name>, <disk_space_usage_level>)` report the top N disk space usage level records for a single machine (disk(ACME-001,10)) performance monitoring data, such as data from Windows or Unix endpoints
`endpoint_change` report system change events endpoint audit logs, such as data from Windows or Unix endpoints
`listeningports` report all records of listening network ports on endpoints performance monitoring data, such as data from Windows or Unix endpoints
`listeningports(<machine_name>)` report all records of listening network ports on a single machine (listeningports(ACME-001)) performance monitoring data, such as data from Windows or Unix endpoints
`listeningports(<machine_name>, <top_N_listening_network_ports>)` report the top N records of listening network ports on a single machine (listeningports(ACME-001,10)) performance monitoring data, such as data from Windows or Unix endpoints
`malware` report malware discovery and cleanup events endpoint protection data, such as from McAfee or Symantec
`memory` report all RAM usage level records performance monitoring data, such as data from Windows or Unix endpoints
`memory(<machine_name>)` report all RAM usage level records for a single machine (disk(ACME-001)) performance monitoring data, such as data from Windows or Unix endpoints
`memory(<machine_name>, <ram_usage_level>)` report the top N RAM usage level records for a single machine (disk(ACME-001,10)) performance monitoring data, such as data from Windows or Unix endpoints
`localprocesses` report all records of running processes on endpoints performance monitoring data, such as data from Windows or Unix endpoints
`localprocesses(<machine_name>)` report all records of running processes on a single machine (localprocesses(ACME-001)) performance monitoring data, such as data from Windows or Unix endpoints
`localprocesses(<machine_name>, <top_N_running_processes>)` report the top N records of running processes on a single machine (localprocesses(ACME-001,10)) performance monitoring data, such as data from Windows or Unix endpoints
`selinuxconfig` report all SE Linux configuration status records for all machines system audit data from Linux endpoints
`selinuxconfig(<machine_name>)` report all SE Linux configuration status records for a single machine (selinuxconfig(ACME-001)) system audit data from Linux endpoints
`selinuxconfig(<machine_name>, <top_N_conf_status_records>)` report the top N SE Linux configuration status records for a single machine (selinuxconfig(ACME-001,10)) system audit data from Linux endpoints
`service` report all records of running services on endpoints (note that "service" is used generically to refer to Windows or UNIX system services) performance monitoring data, such as data from Windows or Unix endpoints
`service(<machine_name>)` report all records of running services on a single machine (service(ACME-001)) performance monitoring data, such as data from Windows or Unix endpoints
`service(<machine_name>, <top_N_running_services>)` report the top N records of running services on a single machine (service(ACME-001,10)) performance monitoring data, such as data from Windows or Unix endpoints
`sshdconfig` report all SSHD configuration status records for all machines system audit data from UNIX or Linux endpoints
`sshdconfig(<machine_name>)` report all SSHD configuration status records for a single machine (sshdconfig(ACME-001)) system audit data from UNIX or Linux endpoints
`sshdconfig(<machine_name>, <top_N_SSHD_config_status_records>)` report the top N SSHD configuration status records for a single machine (sshdconfig(ACME-001,10)) system audit data from UNIX or Linux endpoints
`time_sync` report all time synchronization status records from all endpoints system audit data, such as data from Windows or Unix endpoints
`time_sync(<action>)` report successful or failed time synchronization status record from all endpoints (time_sync(success)) system audit data, such as data from Windows or Unix endpoints
`index_time_delta` report time synchronization problems on endpoints by evaluating difference between reported time and actual time at indexing events Splunk internal logs
`ntp_startmode` report all time synchronization service start mode records from all endpoints (note that any service tagged "time" will be reported, not just ntpd) system audit data, such as from Windows or UNIX endpoints
`ntp_startmode(<endpoint_name>)` report all time synchronization service start mode records from a single endpoint. Note that any service tagged "time" will be reported, not just UNIX ntpd. (ntp_startmode(ACME-001)) system audit data, such as from Windows or UNIX endpoints
`system_update` report patching status on endpoints system audit data, such as from Windows or UNIX endpoints
`update_startmode` report patching service status records from all endpoints (note that any service tagged "update" will be reported) system audit data, such as from Windows or UNIX endpoints
`update_startmode(<endpoint_name>)` report all patching service status records from a single endpoint. Note that any service tagged "update" will be reported. (update_startmode(ACME-001)) system audit data, such as from Windows or UNIX endpoints
`uptime` report all OS uptime records from all endpoints system audit data, such as from Windows or UNIX endpoints
`uptime(<endpoint_name>)` report all OS uptime records from a single endpoint. (uptime(ACME-001)) system audit data, such as from Windows or UNIX endpoints
`uptime(<endpoint_name>, <top_N_OS_uptime_records>)` report the top N OS uptime records from a single endpoints. (uptime(ACME-001,10)) system audit data, such as from Windows or UNIX endpoints
`useraccounts` reports all user account status records, management events, and password information records gathered from all endpoints system audit data, such as from Windows or UNIX endpoints
`useraccounts(<endpoint_name>)` reports all user account status records, management events, and password information records gathered from a single endpoint. (useraccounts(ACME-001)) system audit data, such as from Windows or UNIX endpoints
`useraccounts(<endpoint_name>, <top_N_user_account_status_records>)` reports the top N user account status records, management events, and password information records gathered from a single endpoint. (useraccounts(ACME-001,10)) system audit data, such as from Windows or UNIX endpoints
`system_version` report all raw events that operating system names and versions have been discovered from vulnerability scanners such as Nessus or OSSEC, and/or system audit data, such as from Windows or UNIX endpoints

Identity Management

These search macros are part of SA-IdentityManagement.

Macro Intended purpose Expected data types
`get_bunit(<business_unit_name>)` search `get_bunit(EMEA)` Assets and Identities lookups must be populated with business unit information.
`get_category(<category_name>)` search `get_category(email_servers)` Assets and Identities lookups must be populated with category information.
`asset_search(<asset_name>)` Find all records associated with a single asset by searching the asset-related fields and leveraging unspecified asset correlation information. For instance, asset_search(ACME-001) can find records via the machine's IP or MAC address, using source or destination fields. The Assets lookup must be populated with enough information about the asset to identify non-directly related fields.
`get_events4identity(<name_compound>, <string_to_match>)` Return the events associated with a given identity using any field from the Identities table. For instance, get_events4identity(email,jdoe@acmetech.com) can find records associated with the identity that the email address is associated with. Stack the command for more precise usage, such as get_events4identity(first,John) get_events4identity(last,Doe) The Identities lookup must be populated with enough information about the identity to identify non-directly related fields.
`identity_search(<identity_field_name>)` Find all records associated with a single identity specified with any field by searching the identity-related fields and leveraging unspecified identity correlation information. For instance, identity_search(jdoe@acmetech.com) can find records via the person's email address, Active Directory login, SAP account name, or phone number, using applicable fields. The Identities lookup must be populated with enough information about the identity to identify non-directly related fields.
`identity_search(<first_name>, <last_name>)` Find all records associated with a single identity specified with first and last name by searching the identity-related fields and leveraging unspecified identity correlation information. For instance, identity_search(John,Doe) can find records via the person's email address, Active Directory login, SAP account name, or phone number, using applicable fields. The Identities lookup must be populated with enough information about the identity to identify non-directly related fields.
`sessions` Reports all discovered network sessions. Sessions are tracked for VPN and DHCP logs. VPN or DHCP logs.

Network Protection

These search macros are part of SA-NetworkProtection.

Macro Intended purpose Expected data types
`communicate` Display networking data. Firewall logs
`communicate(<action>)` Display networking data by action (allowed or blocked). Firewall logs
`network_change` Display records of network change events Operational logs from network infrastructure devices
`ids_attack` Display all detected intrusion event records Intrusion Detection System and Intrusion Prevention System logs, (including network-based, host-based, and other types).
`proxy` Display web proxy events Web proxy server logs
`vulnerability` Display discovered vulnerability data. Vulnerability scanners, such as Nessus.

Threat Intelligence

These search macros are part of SA-ThreatIntelligence.

Macro Intended purpose Expected data types
`filter` Suppress Notable Events that have been tagged for suppression The Notable Event Suppression feature needs to be used for this to have effect.
`notable` Displays Notable Events with proper rendering the app's _notable index
`suppression_audit` Reports suppression events from audit logs The Notable Event Suppression feature needs to be used for this to have effect.
`suppression_audit-expired` Reports suppression expirations The Notable Event Suppression feature needs to be used for this to have effect.
`suppressed_notables` Reports suppressed Notable Events The Notable Event Suppression feature needs to be used for this to have effect.

Utilities

These search macros are part of SA-Utils.

Macro Intended purpose Expected data types
Boolean
`str_to_bool(<field_name>)` Wrapper for str_to_bool(<string>,<boolean>) which converts the field in-place to "true" or "false"
`str_to_bool(<string>,<boolean>)` Normalizes values like "T", "f" to "true" or "false" respectively
Date/Time
`get_date(<field_name>)` Create a new field named "date" in the format "mm-dd-yyyy" from another field containing a UNIX epoch timestamp.
`ctime(<timestamp>)` Convert an epoch time (UNIX timestamp) to date string in format mm/dd/yyyy hh:mm:ss. Wrapper for ctime(2)
`ctime(<timestamp>, <time_format_specifier>)` Convert an epoch time (UNIX timestamp) to date string in format mm/dd/yyyy hh:mm:ss, but allows specification of any format.
`uitime(<time_field>)` Same as ctime(1), but leaves the underlying field data as-is. This macro is only used for displaying fields in the UI in a human-readable format, while still permitting accurate sorting. See the core Splunk search command "fieldformat" for additional details.
`uitime(<time_field>, <time_specifier>)` Same as ctime(2), but leaves the underlying field data as-is. This macro is only used for displaying fields in the UI in a human-readable format, while still permitting accurate sorting. See the core Splunk search command "fieldformat" for additional details.
`uptime2string(<input_field_name>, <output_field_name>)` Turns an integer number of seconds into a string like "3 days, 10 hours, 25 minutes". Accepts an input field name and output field name as arguments, in that order.
`get_TimeEpoch(<firstTime>, <lastTime>)` Takes a firstTime and lastTime as input, and increments the last time so that at least a one-second interval exists between the two. This is used primarily to circumvent errors in drilldowns where lastTime must be strictly greater than (versus greater than or equal to) the firstTime.
`timeDiff` Gets time difference in seconds between now and the event timestamp
`hourDiff` Same as timeDiff, but in hours (real-numbered values returned)
`dayDiff` Same as timeDiff, but in days (real-numbered values returned)
`hoursago(<number_of_hours>, <comparator>)` Search for events a certain number of hours offset (before or after) from the input time. Accepts an integral number of hours and a comparator (<, >, >=, <=, =) as input parameters.
`hoursago(<hoursago>)` Wrapper for hoursago(<number_of_hours>, <comparator>), which defaults to searching for events before (less than) the input time.
`daysago(<number_of_days>, <comparator>)` Same as hoursago(<number_of_hours>, <comparator>), but for days.
`daysago(<daysago>)` Same as hoursago(<number_of_hours>, <comparator>), but for days.
Event ID
`get_event_hash` Create the "event_hash" field as the md5sum of the "_raw" field
`get_event_id` Create the "event_hash" field as the md5sum of the "_time" and "_raw" fields.
`parse_event_id(<event_id>)` Dissect the unique event identifier ("event_id") into "orig_splunk_server", "orig_index", "orig_event_hash". Parses an event_id compatible with real-time (no _cd).
Post Process
`postprocess_audit` To get postprocess_audit eventtype events
`postprocess_transact` To get postprocess events as transactions by "parent" search ID
REST
`rest_handler_transactions` Macro for getting transactions' REST handler calls; used in rest_audit dashboard
Summary Indexing
`get_summary(<index>, <search_name>)` retrieve summary events by the specific index and name of the search that generated the summary
Transformations
`get_namespace` Look up the namespace (app) for the given source type. Enterprise Security and PCI generate many custom log files, in several dozen Splunk applications. These logs are themselves indexed by Splunk. This macros is used to identify the application that "owns" a particular source type and is primarily used for internal Splunk use.
`get_vendor_product` Concatenates the vendor and product field values for easier reference.
`lower(<field_value>)` Lowercases the given field value.
`truncate(<field_name>)` Truncates the given field value.
Last modified on 15 April, 2016
PREVIOUS
Search View Matrix
  NEXT
FAQ

This documentation applies to the following versions of Splunk® App for PCI Compliance: 2.1.1


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters