All Apps and Add-ons

Splunk Add-on for Microsoft Windows: How to modify the Windows Listening Ports script?

Communicator

Hi all,

I would like to modify the \apps\Splunk_TA_windows\bin\win_listening_ports.bat script so that the netstat -anb command outputs the -b switch that shows the process executable. How do I do this? Any help would be greatly appreciated.

James

0 Karma

SplunkTrust
SplunkTrust

If you look at the results of the netstat -anb command you'll see it looks like this:

  Proto  Local Address          Foreign Address        State
  TCP    127.0.0.1:8000         user-PC:64088          ESTABLISHED
 [splunkd.exe]
  TCP    127.0.0.1:8089         user-PC:64486          TIME_WAIT
  TCP    127.0.0.1:8089         user-PC:64489          TIME_WAIT
  TCP    127.0.0.1:8089         user-PC:64490          TIME_WAIT
  TCP    127.0.0.1:8089         user-PC:64491          TIME_WAIT
  TCP    127.0.0.1:8191         user-PC:49710          ESTABLISHED
 [mongod.exe]
  TCP    127.0.0.1:8191         user-PC:50059          ESTABLISHED

Transforming that so that splunkd.exe is associated with the lines above it will require some line merging and maybe a must break after "]".

So your first step is simply modifying the script by changing line 19 to this:

 for /f "tokens=*" %%G in ('netstat -naob') do (call :output_ports "%%G")

We have to remove the | findstr /r "LISTENING" so that it will show lines above and below the lines that match "LISTENING".

At this point you can use SHOULD_LINEMERGE = True, and MUST_BREAK_AFTER = ]\n\r and EXTRACT-process = [(?.*)] in your props.conf. You'll probably want to remove the column headers too with SEDCMD-removeHeaders = s/Proto.*//g

0 Karma

Communicator

Should I apply these changes to my global props.conf under \etc\local? Will the changes impact other applications.

0 Karma

Communicator

Thank you! I will try this.

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!