Работа
April 22
Splunk - запрос списка аутентификаций Exchange
(index="exchange_http_proxy") "AuthenticatedUser"!="*Health*" | eval Date = strftime(_time, "%Y-%m-%d %H:%M") | eval SortDate = strftime(_time, "%Y-%m-%d %H:%M") | eval DeviceModel=case(UserAgent like "Apple-iPhone%","iPhone Mail App",UserAgent=="Outlook-iOS-Android/1.0","Outlook for Mobile",isNull(UserAgent),"none",UserAgent like "MacOutlook%","Outlook for MACOSX",UserAgent like "%Microsoft Outlook%","Outlook for Windows") | stats min(_time) as EarliestEvent max(_time) as LatestEvent by "ClientIpAddress", "host", "IsAuthenticated", "UrlHost", "AuthenticatedUser", "DeviceModel", "UserAgent" | eval EarliestEvent = strftime(EarliestEvent, "%Y-%m-%d %H:%M"), LatestEvent = strftime(LatestEvent, "%Y-%m-%d %H:%M")
Без особых слов скажу, что этот запрос нормально работает.
Индекс содержит данные HTTP-сервисов Exchange: OWA,RPC,MAPI и пр и др.