topic Splunk Citrix get-brokersession in Splunk Search

Splunk Citrix get-brokersession

kmm2 — Fri, 05 Jul 2024 14:37:03 GMT

I have a powershell script running get-brokersession which then exports the results to a txt file. The file is then forwarded via the Universal Forwarder. Trying to create a search that bases the output data via the session key. The Citrix add-on app is not allowed at our location.

Re: Splunk Citrix get-brokersession

yuanliu — Fri, 05 Jul 2024 20:54:24 GMT

To post an answerable question in this forum, it is important to illustrate your input, e.g., raw events (anonymize as needed), illustrate/mock desired output, then explain the logic between illustrated input and desired output including any relevant available fields, data characteristics, etc.

From your description, all volunteers here get is that you have some file ingested via Universal Forwarder and your data contains some sort of session key.

Re: Splunk Citrix get-brokersession

PickleRick — Sat, 06 Jul 2024 09:35:53 GMT

And your actual problem with this is...?

So far you told us what you're trying to do. OK, that's a sound approach if you can't use an app apparently containing some sort of scripted/modular input, you're spawning an external script preparing the data that you later ingest with monitor input from an intermediate file. Great.

Now how are we supposed to know what is in your data? And what is the desired result of your search?

Maybe for some very very common types of data (like standard windows event logs) one could expect a farily common knowledge about them but even then it's better to explicitly state your problem.

So - what _is_ your problem?

Re: Splunk Citrix get-brokersession

kmm2 — Mon, 08 Jul 2024 19:13:41 GMT

Thanks for the reply

Re: Splunk Citrix get-brokersession

kmm2 — Thu, 18 Jul 2024 19:26:22 GMT

When we run get-brokersession we have a txt file with time stamps in the txt file for events. We can not get the date and time to show up in splunk. We can get date only or time only. When we try to do both, the parsed data stops at a line where a timestamp is located with no output.

Re: Splunk Citrix get-brokersession

yuanliu — Thu, 18 Jul 2024 23:53:48 GMT

If you forwarder is not forwarding the complete file, there might be a problem with linebreaker. This has nothing to do with how to search. Getting Data In is a better forum.

Re: Splunk Citrix get-brokersession

kmm2 — Fri, 19 Jul 2024 16:53:47 GMT

The forwarder is forwarding. The information is broken up in splunk every time it comes across a line with a timestamp. Then a new field is created after the timestamp line until it hits another timestamp in the txt

Re: Splunk Citrix get-brokersession

yuanliu — Sat, 20 Jul 2024 16:56:24 GMT

Let's get back to basics: When your events are broken, using search technique to cope is the last thing to consider.

Can you post sample raw file, the exact event contents Splunk receives, and your properties.conf stanza corresponding to this sourcetype? Without data, volunteers have nothing to go on.

Re: Splunk Citrix get-brokersession

kmm2 — Wed, 07 Aug 2024 14:59:52 GMT

Trying to update the props/transform.conf so that I can created fields for the items listed on the left side of the image below.

FIELD_DELIMITER=:
FIELD_NAMES=myfield1,myfield2,myfield3,myfield4

Is what I am working with and have not had success