We have an issue with pan:threat in our dev environment having fields that end like this \”, What this does is escape the “ so the field isn’t closed, and it grabs extra.  For example, An example event Jun 20 09:45:17 pan_firewall 1,2023/06/20 09:45:17,016201006029,THREAT,url,2561,2023/06/20 09:45:17,10.10.10.10,11.11.11.11,12.12.12.12,13.13.13.13,Internal-Gateway-Client-Connect,,,web-browsing,vsys1,inside,inside,ethernet1/2,ethernet1/2,Shared_Log_Fwd,2023/06/20 09:45:17,633045,1,55384,443,55384,20077,0x140b000,tcp,alert,"pan_firewall/default.asp\",(9999),PAN-Allowed-Sites,informational,client-to-server,7237130175635929631,0x8000000000000000,10.0.0.0-10.255.255.255,United States,,,0,,,1,,,,,,,,0,29,50,52,0,vsys1,pan_firewall,,,,get,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,," PAN-Allowed-Sites,health-and-medicine,low-risk",27b923e5-b821-4544-8790-5eb413f7ed4a,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0,2023-06-20T09:45:17.691+00:00,,,,internet-utility,general-internet,browser-based,4,"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use",,web-browsing,no,no url = ,"pan_firewall/default.asp\",(9999),PAN-Allowed-Sites,informational,client-to-server,7237130175635929631,0x8000000000000000,10.0.0.0-10.255.255.255,United States,,,0,,,1,,,,,,,,0,29,50,52,0,vsys1,pan_firewall,,,,get,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,," PAN-Allowed-Sites category = low-risk",27b923e5-b821-4544-8790-5eb413f7ed4a,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0,2023-06-20T09:45:17.691+00:00,,,,internet-utility,general-internet,browser-based,4,"used-by-malware I’ve tried multiple SEDCMD to change the \”, so it is something else, but even though it is in btool the events still have the \", /data/splunk/hot/apps/splunk/etc/apps/Splunk_TA_paloalto/default/props.conf                  SEDCMD-palo_alto_remove_backslah = s/\\\",/\\ \",/g I did see the recommendation to send to an HF, but this data arrives via syslog and then goes to the indexers.  The regex works in the various tools I've tried.  Data is somewhat anonymized.  Any suggestions? TIA, Joe ... View more

Hi All, I'm getting the below   splunk add oneshot ./kaseya.txt -index main -sourcetype asset‌☁️‌kaseya-edge:agent ERROR: certificate validation: self signed certificate in certificate chain Couldn't complete HTTP request: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed   Since I'm working on my development laptop, I don't care if this is signed or not.  What I need is a way of stopping the error. TIA, Joe ... View more

I'm working with Proofpoint Threat Response events that are being sent to our instance of Splunk using an HEC connection.  The part of the threat response event   u'incident_field_values': [{u'name': u'Severity', u'value': u'Informational'},   The raw Splunk event   "incident field values": [{"name": "Severity", "value": "Informational"},   As far as I know the HEC shouldn't do any translation so how did incident_field_values become the same name using spaces instead of underscores?  The version is 7.3.6. TIA, Joe ... View more

I'm working with a data source that has two different versions.  In one version the information is double quoted while the other version is single quoted.  This is causing me issues because the single quoted information will still have the single quotes while the double quoted won't have any quotes.  This is throwing counts off since the single quoted string and the unquoted string are not the same.  Without using SEDCMD since we want the actual raw source, I've been trying to work out how to do this.  I've got this in a search search | eval raw=_raw | rex field=raw mode=sed "s/\'/\"/g" | rex field=raw "\[(?<audit_event>[^\:]+)\:(?<vendor_severity>[^\:]+).+(?<vendor_xml>\<vendor.+\<\/vendor\>)" Now I'm trying to convert it to props and transforms.  My props.conf EXTRACT-vendor_raw = (?<raw>^.*$) REPORT-vendor_extract_fields = vendor_replace_single_quotes, vendor_fields KV_MODE = xml My transforms.conf [vendor_replace_single_quotes] [vendor_fields] REGEX = \[(?<audit_event>[^\:]+)\:(?<vendor_severity>[^\:]+).+(?<vendor_xml>\<vendor.+\<\/vendor\>) SOURCE = raw What I can't figure out is how do the replace like in the search either in props.conf or transforms.conf.  Everything I've found uses the SEDCMD.  Any thoughts on this? TIA, Joe ... View more