I would like to modify the \apps\Splunk_TA_windows\bin\win_listening_ports.bat script so that the netstat -anb command outputs the -b switch that shows the process executable. How do I do this? Any help would be greatly appreciated.
If you look at the results of the netstat -anb command you'll see it looks like this:
Proto Local Address Foreign Address State TCP 127.0.0.1:8000 user-PC:64088 ESTABLISHED [splunkd.exe] TCP 127.0.0.1:8089 user-PC:64486 TIME_WAIT TCP 127.0.0.1:8089 user-PC:64489 TIME_WAIT TCP 127.0.0.1:8089 user-PC:64490 TIME_WAIT TCP 127.0.0.1:8089 user-PC:64491 TIME_WAIT TCP 127.0.0.1:8191 user-PC:49710 ESTABLISHED [mongod.exe] TCP 127.0.0.1:8191 user-PC:50059 ESTABLISHED
Transforming that so that splunkd.exe is associated with the lines above it will require some line merging and maybe a must break after "]".
So your first step is simply modifying the script by changing line 19 to this:
for /f "tokens=*" %%G in ('netstat -naob') do (call :output_ports "%%G")
We have to remove the | findstr /r "LISTENING" so that it will show lines above and below the lines that match "LISTENING".
At this point you can use
SHOULD_LINEMERGE = True, and
MUST_BREAK_AFTER = ]\n\r and
EXTRACT-process = [(?.*)] in your props.conf. You'll probably want to remove the column headers too with
SEDCMD-removeHeaders = s/Proto.*//g