Hi, Thanks, it appeared that the logic was ok but instead the problem was with the condition with the file path (that was lacked double back slashes). Any way, i will accept the answer as it helped me realize that the logic was ok. Thanks again. ... View more

I think i had problems with the condition itself. I had a path inside and didn't use "\". Thanks all ! ... View more

I need both terms to exist, so this is not exactly what i need. ... View more

I want to exclude events with both my terms, means if both x=3 and b=3 than the event will be excluded. ... View more

Hi David, Thanks for your response. I already tried using the _audit index but it seems to have a lot of irrelevant events too, and in addition it doesn't contain some actions (for example, i created a report and search for the event in _audit and it wasn't there by the name of the search). The actions that i am looking for are on objects like (reports, alerts, indexes, lookups, DM, correlation searches, sourcetypes, etc..) ... View more

I want to correct myself. I get the same logs on the machine that it does work on. So the reason is apparently something else. But i still can't seem to find the problem. ... View more

So do you know what may be the reason that eventgen can't generate events from other apps files ? On the other machine that works fine i don't get those logs. ... View more

If you will look closely, there is "ERROR ExecProcessor". There is disabled=1 for specific stanzas. I did the same process on another machine without any further configurations and it worked fine. In addition the problem is not just with symantec, but with every other app with eventget.conf I just need to fix this in the other machine (it is not an option to replace it). Thanks ... View more

It is a really long file, it is the default of the "Splunk_TA_symantec-ep". ... View more

Of course: # Copyright (C) 2005-2015 Splunk Inc. All Rights Reserved. # DO NOT EDIT THIS FILE! # Please make all changes to files in $SPLUNK_HOME/etc/apps/SA-Eventgen/local. # To make changes, copy the section/stanza you want to change from $SPLUNK_HOME/etc/apps/SA-Eventgen/default # into ../local and edit there. # ## IMPORTANT! Do not specify any settings under a default stanza ## The layering system will not behave appropriately ## Use [global] instead [default] [global] disabled = false debug = false verbosity = false spoolDir = $SPLUNK_HOME/var/spool/splunk spoolFile = <SAMPLE> breaker = [^\r\n\s]+ mode = sample sampletype = raw interval = 60 delay = 0 timeMultiple = 1 count = -1 earliest = now latest = now randomizeEvents = false outputMode = modinput fileMaxBytes = 10485760 fileBackupFiles = 5 splunkPort = 8089 splunkMethod = https index = main source = eventgen sourcetype = eventgen host = 127.0.0.1 generator = default rater = config generatorWorkers = 1 outputWorkers = 1 timeField = _raw threading = thread profiler = false maxIntervalsBeforeFlush = 3 maxQueueLength = 0 useOutputQueue = false autotimestamps = [["\\d{4}-\\d{2}-\\d{2} \\d{2}:\\d{2}:\\d{2}", "%Y-%m-%d %H:%M:%S"], ["\\d{1,2}\\/\\w{3}\\/\\d{4}\\s\\d{2}:\\d{2}:\\d{2}:\\d{1,3}", "%d/%b/%Y %H:%M:%S:%f"], ["\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d{3}", "%Y-%m-%dT%H:%M:%S.%f"], ["\\d{1,2}/\\w{3}/\\d{4}\\s\\d{2}:\\d{2}:\\d{2}:\\d{1,3}", "%d/%b/%Y %H:%M:%S:%f"], ["\\d{1,2}/\\d{2}/\\d{2}\\s\\d{1,2}:\\d{2}:\\d{2}", "%m/%d/%y %H:%M:%S"], ["\\d{2}-\\d{2}-\\d{4} \\d{2}:\\d{2}:\\d{2}", "%m-%d-%Y %H:%M:%S"], ["\\w{3} \\w{3} +\\d{1,2} \\d{2}:\\d{2}:\\d{2}", "%a %b %d %H:%M:%S"], ["\\w{3} \\w{3} \\d{2} \\d{4} \\d{2}:\\d{2}:\\d{2}", "%a %b %d %Y %H:%M:%S"], ["^(\\w{3}\\s+\\d{1,2}\\s\\d{2}:\\d{2}:\\d{2})", "%b %d %H:%M:%S"], ["(\\w{3}\\s+\\d{1,2}\\s\\d{1,2}:\\d{1,2}:\\d{1,2})", "%b %d %H:%M:%S"], ["(\\w{3}\\s\\d{1,2}\\s\\d{1,4}\\s\\d{1,2}:\\d{1,2}:\\d{1,2})", "%b %d %Y %H:%M:%S"], ["\\d{4}-\\d{2}-\\d{2} \\d{2}:\\d{2}:\\d{2}\\.\\d{3}", "%Y-%m-%d %H:%M:%S.%f"], ["\\,\\d{2}\\/\\d{2}\\/\\d{2,4}\\s+\\d{2}:\\d{2}:\\d{2}\\s+[AaPp][Mm]\\,", ",%m/%d/%Y %I:%M:%S %p,"], ["^\\w{3}\\s+\\d{2}\\s+\\d{2}:\\d{2}:\\d{2}", "%b %d %H:%M:%S"], ["\\d{2}/\\d{2}/\\d{4} \\d{2}:\\d{2}:\\d{2}", "%m/%d/%Y %H:%M:%S"], ["^\\d{2}\\/\\d{2}\\/\\d{2,4}\\s+\\d{2}:\\d{2}:\\d{2}\\s+[AaPp][Mm]", "%m/%d/%Y %I:%M:%S %p"], ["\\d{2}\\/\\d{2}\\/\\d{4}\\s\\d{2}:\\d{2}:\\d{2}", "%m-%d-%Y %H:%M:%S"], ["\\\"timestamp\\\":\\s\\\"(\\d+)", "%s"], ["\\d{2}\\/\\w+\\/\\d{4}\\s\\d{2}:\\d{2}:\\d{2}:\\d{3}", "%d-%b-%Y %H:%M:%S:%f"], ["\\\"created\\\":\\s(\\d+)", "%s"], ["\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}", "%Y-%m-%dT%H:%M:%S"], ["\\d{1,2}/\\w{3}/\\d{4}:\\d{2}:\\d{2}:\\d{2}:\\d{1,3}", "%d/%b/%Y:%H:%M:%S:%f"], ["\\d{1,2}/\\w{3}/\\d{4}:\\d{2}:\\d{2}:\\d{2}", "%d/%b/%Y:%H:%M:%S"]] autotimestamp = false httpeventWaitResponse = true disableLoggingQueue = true This is the default eventgen.conf of the eventgen app. The symantec eventgen.conf is also the one shipped with the add on. Thanks ... View more

Thanks for your response. It is not what i was looking for exactly. The problem is only with "from" command. tstats command can be used with time modifiers. Also i have splunk cloud so it is a bit of a problem to add the macros to the file. ... View more

So frustrating ... View more

Did you managed to do it ? I also have issues with adding this taxii feeds to the ES. ... View more

I don't want the selection to be base on the time picker, but it does it any way (i get "7,966 events (8/25/19 2:01:19.000 PM to 8/25/19 2:16:19.000 PM") instead of a time window of 24 hours). I am familiar with this command, but i still have to use "from datamodel". I already checked the permissions, i have all necessary ones. The two systems a a bit different. Both in aspect of cloud vs enterprise and versions 7.0.9.1 vs 7.3 ... View more

Yes this is exactly what i say. I have to use from datamodel and not tstats any way. The most weird thing is that the original query does work on other system. ... View more

I ran your query and it also doesn't refer to the time inside the query, but to the time in the time picker. time picker set to 15 minutes. "| tstats values FROM datamodel=internal_server where nodename=server.scheduler.alerts earliest_time=-24h latest_time=now()" Complete 7,966 events (8/25/19 2:01:19.000 PM to 8/25/19 2:16:19.000 PM) ... View more

I added two pics. You can see there that the data model has a _time field. Also when i table the results by _time i have results. ... View more

Doesn't work either. ... View more