rare Сommand in Splunk

Posted on December 30, 2024

The rare command in Splunk helps you find the least common values in a specific field of your data. This is useful for spotting unusual or infrequent events. By default, the rare command in Splunk returns the 10 least common values for a specified field.

Find Rare User Agents

To identify the least common user agents in your web access logs:

index=web sourcetype=access_logs | rare user_agent

This returns 10 of the least common user agents.

Identify Uncommon HTTP Status Codes

To detect rare HTTP status codes in your security logs:
Here we set the limit of returns using limit

index=security sourcetype=security_logs | rare http_status_code limit=3

This returns the 3 least common HTTP status codes, helping to spot unusual responses.

The post rare Сommand in Splunk appeared first on SOC Prime.

Asylum Ambuscade Attack Detection: Hacking Collective Engaged in Multiple Cyber-Espionage and Financially-Motivated Cybercrime Campaigns

Threats

On February 24, 2022, a little more than a year…

rooter
June 12, 2023
4 min read
0

CVE-2024-27198 and CVE-2024-27199 Detection: Critical Vulnerabilities in JetBrains TeamCity Pose Escalating Risks with Exploits Underway

Threats

A couple of months after the massive exploitation of CVE-2023-42793,…

rooter
March 6, 2024
3 min read
0

APT28 aka UAC-0001 Group Leverages Phishing Emails Disguised As Instructions for OS Updates Targeting Ukrainian State Bodies

Threats

The infamous russian nation-backed hacking collective tracked as APT28 or…

rooter
April 28, 2023
4 min read
0

SOC Prime Threat Bounty Digest — January 2024 Results

Threats

Threat Bounty Content In January, the members of the Threat…

rooter
February 19, 2024
3 min read
0