All Apps and Add-ons

Splunk Add-on for Microsoft Windows: How to modify the Windows Listening Ports script?


Hi all,

I would like to modify the \apps\Splunk_TA_windows\bin\win_listening_ports.bat script so that the netstat -anb command outputs the -b switch that shows the process executable. How do I do this? Any help would be greatly appreciated.


0 Karma


If you look at the results of the netstat -anb command you'll see it looks like this:

  Proto  Local Address          Foreign Address        State
  TCP         user-PC:64088          ESTABLISHED
  TCP         user-PC:64486          TIME_WAIT
  TCP         user-PC:64489          TIME_WAIT
  TCP         user-PC:64490          TIME_WAIT
  TCP         user-PC:64491          TIME_WAIT
  TCP         user-PC:49710          ESTABLISHED
  TCP         user-PC:50059          ESTABLISHED

Transforming that so that splunkd.exe is associated with the lines above it will require some line merging and maybe a must break after "]".

So your first step is simply modifying the script by changing line 19 to this:

 for /f "tokens=*" %%G in ('netstat -naob') do (call :output_ports "%%G")

We have to remove the | findstr /r "LISTENING" so that it will show lines above and below the lines that match "LISTENING".

At this point you can use SHOULD_LINEMERGE = True, and MUST_BREAK_AFTER = ]\n\r and EXTRACT-process = [(?.*)] in your props.conf. You'll probably want to remove the column headers too with SEDCMD-removeHeaders = s/Proto.*//g

0 Karma


Should I apply these changes to my global props.conf under \etc\local? Will the changes impact other applications.

0 Karma


Thank you! I will try this.

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!