Hi all,

I would like to modify the \apps\Splunk_TA_windows\bin\win_listening_ports.bat script so that the netstat -anb command outputs the -b switch that shows the process executable. How do I do this? Any help would be greatly appreciated.


If you look at the results of the netstat -anb command you'll see it looks like this:

  Proto  Local Address          Foreign Address        State
  TCP         user-PC:64088          ESTABLISHED
  TCP         user-PC:64486          TIME_WAIT
  TCP         user-PC:64489          TIME_WAIT
  TCP         user-PC:64490          TIME_WAIT
  TCP         user-PC:64491          TIME_WAIT
  TCP         user-PC:49710          ESTABLISHED
  TCP         user-PC:50059          ESTABLISHED

Transforming that so that splunkd.exe is associated with the lines above it will require some line merging and maybe a must break after "]".

So your first step is simply modifying the script by changing line 19 to this:

 for /f "tokens=*" %%G in ('netstat -naob') do (call :output_ports "%%G")

We have to remove the | findstr /r "LISTENING" so that it will show lines above and below the lines that match "LISTENING".

At this point you can use SHOULD_LINEMERGE = True, and MUST_BREAK_AFTER = ]\n\r and EXTRACT-process = [(?.*)] in your props.conf. You'll probably want to remove the column headers too with SEDCMD-removeHeaders = s/Proto.*//g

Should I apply these changes to my global props.conf under \etc\local? Will the changes impact other applications.

Thank you! I will try this.

