I am working with event data in Splunk where each event contains a command with multiple arguments. I'm extracting these arguments and their associated values using regex, resulting in multi-value fields within Splunk. However, I'm encountering a challenge where some arguments do not have an associated value, and for these cases, I would like to set their values to `true`. Here's the SPL I'm using for extraction: | rex max_match=0 field=Aptlauncher_cmd "\s(?<flag>--?[\w\-.@|$|#]+)(?:(?=\s--?)|(?=\s[\w\-.\/|$|#|\"|=])\s(?<value>[^\s]+))?" What I need is to refine this SPL so that after extraction, any argument without a value is automatically assigned a value of `true`. After setting the default values, I would then like to use `mvexpand` to separate each argument-value pair into its own event. Could you provide guidance on how to adjust my regex or SPL command to accomplish this within Splunk?

We have a splunk query that pulls down a list of values daily.  We are looking to see if we can use splunk to find the field value that is new today, but was not present yesterday, and show in a stats table. How can this be accomplished?  The idea is.. Yesterday - splunk db connect query pulls back a result of 5 log lines, all containing the field "name". field= name values - Bob, Kat, Abe, Doug, Sam Today - splunk db connect query pulls back a result of 6 log lines, all containing field "name". field= name values - Bob, Kat, Abe, Doug, Sam, Jim(new value found) So would like to show a stats table or alert that would let us know "Jim" is a new field value for name that did not exist yesterday.    

I've been working to recreate a query in Splunk from Microsoft Defender Endpoint that shows what files users have copied to USB Drives. The query works like this: Step 1: Get all file USB Mount Events Step 2: Get all file creation events on drives that are not C.  Step 3: Join the above two datasources by Device ID.  Step 4: Match drive letters and make sure the USB Mount time is less than File Create time.  Here's Microsoft's query: Microsoft-365-Defender-Hunting-Queries/Exfiltration/Files copied to USB drives.md at master · microsoft/Microsoft-365-Defender-Hunting-Queries · GitHub In Splunk I get to step three and then I'm not able to filter values based on that. Below is my query so far. Any suggestions would be helpful.  index=atp category="AdvancedHunting-DeviceFileEvents" properties.InitiatingProcessAccountName!="system" properties.ActionType="FileCreated" properties.FolderPath!="C:\\*" properties.FolderPath!="\\*" | fields properties.ReportId, properties.DeviceId, properties.InitiatingProcessAccountDomain, properties.InitiatingProcessAccountName, properties.InitiatingProcessAccountUpn, properties.FileName, properties.FolderPath, properties.SHA256, properties.Timestamp, properties.SensitivityLabel, properties.IsAzureInfoProtectionApplied | rename properties.ReportId as ReportId, properties.DeviceId as DeviceId, properties.InitiatingProcessAccountDomain as InitiatingProcessAccountDomain, properties.InitiatingProcessAccountName as InitiatingProcessAccountName, properties.InitiatingProcessAccountUpn as InitiatingProcessAccountUpn, properties.FileName as FileName, properties.FolderPath as FolderPath, properties.SHA256 as SHA256, properties.Timestamp as Timestamp, properties.SensitivityLabel as SensitivityLabel, properties.IsAzureInfoProtectionApplied as IsAzureInfoProtectionApplied | eval Timestamp_epoch = strptime (Timestamp, "%Y-%m-%dT%H:%M:%S.%6N%Z") | sort DeviceId, Timestamp desc | join type=inner left=L right=R where L.DeviceId = R.DeviceId [search index=atp category="AdvancedHunting-DeviceEvents" properties.ActionType="UsbDriveMounted" | spath input=properties.AdditionalFields | fields properties.DeviceId, properties.DeviceName, DriveLetter, properties.Timestamp, ProductName, SerialNumber, Manufacturer | sort properties.DeviceId, properties.Timestamp desc | rename properties.DeviceId as DeviceId, properties.DeviceName as DeviceName, properties.Timestamp as MountTime | eval MountTime_epoch = strptime (MountTime, "%Y-%m-%dT%H:%M:%S.%6N%Z") ] | table L.FolderPath,R.DriveLetter, R.MountTime, R.MountTime_epoch, L.Timestamp, L.Timestamp_epoch      

Hello, Where does Splunk get the data from CrowdStrike to form the Splunk drilldown dashboards under Detections and Events called "CrowdStrike Detections Allowed/Blocked Breakdown" and "CrowdStrike Events Allowed/Blocked Breakdown"? My confusion is that in CrowdStrike Falcon console I don't see the terms "Blocked/Allowed" being used for detections or events and I need to know how Splunk is correlating those drilldown dashboard sections to CrowdStrike? What data does Splunk use from CrowdStrike to create those Blocked/Allowed sections in Splunk?

Hey Everyone! We just started using Splunk ES, we just got it up and running fairly well and I have a couple questions hopefully I could get some guidance on or maybe a point in the right direction. I would like to somehow setup the ability for analyst to be able to run local scripts in the adaptive response that use dynamic user input as variables to query external APIs. Another scenario, I was hoping we could use, would be using specific tokens/fields as the dynamic variable for these scripts and just give the analyst the output in the adaptive response when they are ran. Are any of these scenarios possible with ES we have tried to find a way to do this but so far have not come up with any successful implementation. Is there any documentation on implementing something like this? Any help would be very much appreciated!