rare Сommand in Splunk

Posted on December 30, 2024

The rare command in Splunk helps you find the least common values in a specific field of your data. This is useful for spotting unusual or infrequent events. By default, the rare command in Splunk returns the 10 least common values for a specified field.

Find Rare User Agents

To identify the least common user agents in your web access logs:

index=web sourcetype=access_logs | rare user_agent

This returns 10 of the least common user agents.

Identify Uncommon HTTP Status Codes

To detect rare HTTP status codes in your security logs:
Here we set the limit of returns using limit

index=security sourcetype=security_logs | rare http_status_code limit=3

This returns the 3 least common HTTP status codes, helping to spot unusual responses.

The post rare Сommand in Splunk appeared first on SOC Prime.

Detecting Abused Legitimate Tools Applied by Hackers in the Human-Operated Ransomware Attacks

Threats

With the constantly changing cyber threat landscape and the increasing…

rooter
May 10, 2023
4 min read
0

CVE-2023-38146 Detection: Windows “ThemeBleed” RCE Bug Poses Growing Risks with the PoC Exploit Release

Threats

The new Microsoft Windows Themes security bug tracked as CVE-2023-38146,…

rooter
September 19, 2023
3 min read
0

Interview with Threat Bounty Developer – Mehmet Kadir CIRIK

Threats

As we continue to tell about our keen members of…

rooter
June 12, 2023
7 min read
0

Earth Preta APT Attack Detection: China-Linked APT Hits Asia with DOPLUGS Malware, a New PlugX Variant

Threats

The nefarious China-backed Earth Preta APT also known as Mustang…

rooter
February 22, 2024
4 min read
0