[osquery App v1.0] Sending results via TCP (Forwar...

aboggarapu · ‎07-18-2018

Following is the sample data:
{"hostIdentifier": "8AF4BC60-D83D-11DD-B08C-10BF487F7CD8", "created": "2018-07-18T10:22:47.767220", "action": "added", "@timestamp": "2018-07-18T10:22:42", "@version": 1, "log_type": "result", "columns": {"uid": "544", "pid": "30176", "resident_size": "28192768", "sgid": "-1", "suid": "-1", "total_size": "2203514335232", "state": "", "gid": "544", "cwd": "c:\programdata\osquery\osqueryd\osqueryd.exe", "user_time": "1", "nice": "8", "parent": "4504", "start_time": "1531909358", "threads": "26", "euid": "-1", "pgroup": "-1", "path": "c:\programdata\osquery\osqueryd\osqueryd.exe", "system_time": "0", "name": "osqueryd.exe", "cmdline": "c:\programdata\osquery\osqueryd\osqueryd.exe --flagfile osquery.flags", "on_disk": "1", "disk_bytes_written": "", "egid": "-1", "wired_size": "15138816", "root": "c:\programdata\osquery\osqueryd\osqueryd.exe", "disk_bytes_read": ""}, "name": "polylogyx"}

Is there any document on what exactly the format should be? Like the date and time format of "created" attribute.

[osquery App v1.0] Sending results via TCP (Forwarder) in JSON format but Dashboard has no data for visualization

Splunk Observability for AI

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Splunk Observability as Code: From Zero to Dashboard

Are you a member of the Splunk Community?