\d+\-\d+\-\d+T\d+\:\d+\:\d+\+\d+\:\d+ also: https://regex101.com/ ... View more

I don't think the regex is correct, it looks like it might be capturing leading whitespace, try Time\s+taken\s+to\s+process\s+(?<recNum>\d+)\s+records\s+(?<recDuration>\d+)ms and see if it helps. Also, this might be overkill, but I like to be explicit in my SPL so I would do the following in the eval | eval aveDuration=('recDuration'/'recNum') ... View more

If you have access to an Azure environment there is a better way to get O365 logs by passing them through Azure than using an API based app: https://answers.splunk.com/answers/678660/how-to-get-logs-from-azure-and-o365-into-splunk.html ... View more

can you just post it to your question? ... View more

try the change in the regex and see if that helps ... View more

they look like they are breaking ok, can you expand one of the 258 line ones? ... View more

Are you just trying to set the path for the inputs including the hostname such as "ServerA"? If so then just use a wildcard in the stanza:https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf?utm_source=answers&utm_medium=in-question&utm_term=inputs.conf&utm_campaign=refdoc#MONITOR: Note concerning wildcards and monitor: * You can use wildcards to specify your input path for monitored inputs. Use "..." for recursive directory matching and "*" for wildcard matching in a single directory segment. * "..." recurses through directories. This means that /foo/.../bar matches foo/1/bar, foo/1/2/bar, etc. * You can use multiple "..." specifications in a single input path. For example: /foo/.../bar/... * The asterisk (*) matches anything in a single path segment; unlike "...", it does not recurse. For example, /foo/*/bar matches the files /foo/1/bar, /foo/2/bar, etc. However, it does not match /foo/bar or /foo/1/2/bar. A second example: /foo/m*r/bar matches /foo/mr/bar, /foo/mir/bar, /foo/moor/bar, etc. It does not match /foo/mi/or/bar. * You can combine "*" and "..." as needed: foo/.../bar/* matches any file in the bar directory within the specified path. ... View more

Try this for help: https://regex101.com/ ... View more

post a sample of your data please ... View more

This site is the best for working with Windows logs:https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4624 🙂 If you are trying to track "sessions" and cannot rely on the presence of a 4624/4634 pair then you can also use "Logon ID" and take the latest timestamp from any EventCode for which the user's Logon ID is present as your logoff time. The main problem is that you have no idea what your time bucket for building this is...do user sessions last hours, days, weeks...how much data do you need to search to build sessions for users? I would even question the entire premise of tracking user sessions...assuming you use weekly data sets and can build a semi-decent table of user sessions..then what? It's a hard problem, and it comes up all the time, and sometimes I just wonder...why, what is the actual value? 😄 Cheers...(longtime SIEM detection engineer and lover/hater of Windows Event Logs!) ... View more

Try this regex Host:\s+(?<dest_ip>[\d\.]*)\s*\((?<dest_host>\S*)\)\s+Status:\s+(?<status>[Up|Down]+) Additionally, a sample of the events from Splunk, not just the actual nmap output, would be helpful, I wonder if your event breaking is working correctly or not. ... View more

and a sample of your data ... View more

Does adding _time at the end of your by id clause help? by id _time ... View more

Have you tried the MetaData::Host key? https://docs.splunk.com/Documentation/Splunk/latest/Admin/Transformsconf?utm_source=answers&utm_medium=in-question&utm_term=transforms.conf&utm_campaign=refdoc#KEYS: ... View more

You can change your UI preferences to display in UTC, that would be the fastest, most simple, and most comprehensive solution. Otherwise, you can rename your eval timestamp DisplayUtcTime as _time then run timechart and it will use the value you set in DisplayUtcTime as _time in timechart. ... View more

please post your inputs and your effective props configs ... View more

can you post your dashboard html and a screenshot of what you are trying to do, also take a look at this post changing both the value and the trend: https://answers.splunk.com/answers/583539/can-we-set-two-different-colors-for-single-value-a.html ... View more

convert the time in the lookup to epoch and use math to do the "now minus 1 week" calculation base search that makes the lookup |convert mktime(myTime) myTime now yay/nay ------------- ---------- ------- 1,564,439,062 1565648785 nay 1,565,043,862 1565648785 yay base search that uses the lookup later | where 'myTime'>=now()-604800 *this is pseudo code/spl...some syntax fixing might be necessary ... View more

This is what I would do: Host OS Windows with Splunk Enterprise installed and local Windows event logs collected (can configure easy from the UI) Guest OS *nix with Universal Forwarder installed and *nix TA setup to collect local logs and forward them to the enterprise install on the host You can vary this if you prefer a Host on Mac or *nix you can put Windows on the VM. Here is a link to create free Windows 10 installations: https://www.microsoft.com/en-us/software-download/windows10 This setup also supports playing around with Deployment Server since you have a forwarder you can manage "remotely". ... View more

here it is: https://answers.splunk.com/answers/741035/how-to-index-evtx-files-exported-from-a-windows-sy.html needs updated already too... ... View more

yeah...it does, unfortunately at this current job I no longer have access to the config files...I believe our admins at least start with stock TA/app deployments and customize to hell 😛 but I would say, if you have a stock TA/app and its weird, you could comment out the problem statements in the stock version then just make a quick custom app with only the things you need in it for example you could make an app directory custom_$tech$, custom_mcafee_epo, and then drop local and metadata directories in and just the *.conf files you need in each plus the local.meta file I could have sworn I had a post about making an IR app that gives you a nice little app shell...cant find it now sorry! ... View more

well, this was the GUI based statement i was building off of...tweak the pre-pended syntax to make it a props.conf config: EVAL-action = ... ... View more

here is the props.conf statement I used to cobble together a decent "action" field: | eval action=replace((replace((replace((case( 'ProductFamily'=="UDLP" OR match(lower('event_description'),"on-") OR match(lower('event_description'),"dll") OR match(lower('event_description'),"oss") OR match(lower('event_description'),"svm") OR match(lower('event_description'),"^scan") OR match(lower('event_description'),"policy") OR match(lower('event_description'),"service") OR match(lower('event_description'),"deferred") OR match(lower('event_description'),"update") OR match(lower('event_description'),"mcafee security") OR match(lower('event_description'),"protection \w+abled") OR (match(lower('event_description'),"move") AND 'threat_handled'=="0"),lower('event_description'), match(lower('event_description'),"pending") OR match(lower('event_description'),"unable to") OR match(lower('event_description'),"not blocked") OR match(lower('event_description'),"would delete") OR match(lower('event_description'),"delete on reboot") OR (match(lower('event_description'),"handled") AND 'threat_handled'=="0") OR (match(lower('event_description'),"spam") AND match(lower('vendor_action'),"clean")) OR (match(lower('event_description'),"failed") AND NOT match(lower('event_description'),"deleted")) OR (match(lower('event_description'),"browser") AND NOT match(lower('ThreatName'),"web control violation")),"allowed", match(lower('event_description'),"spam") OR match(lower('event_description'),"denied") OR match(lower('event_description'),"blocked") OR match(lower('event_description'),"handled") OR match(lower('event_description'),"deleted") OR match(lower('event_description'),"cleaned") OR match(lower('event_description'),"browser") OR match(lower('event_description'),"quarantine") OR (match(lower('event_description'),"detected") AND 'threat_handled'=="1"),"blocked", isnotnull('event_description'),lower('event_description'), isnull('event_description'),"none")),",","")),"\.","")),";","") ... View more

you needs to post your props.conf config and a sample data set and a sample of the truncated events ... View more