I perform a search that has results like the following where dest_port is a multivalued field: There are three fields in the results: _time, dest_ip, and dest_port. The results look like: 1/1/11, 192.168.2.200, 80 139 445 8000 9997 (the dest_port field is multivalued) 1/8/11, 192.168.2.200, 22 443 139 445 9997 So, in this example, after one week, ports 80 and 8000 were not present in the results and ports 443 and 22 newly appeared. How do I write a search that will list the ports that are present in the first event but not the second? How do I write a search that will list the ports that are present in the second event and not in the first event? The search results will contain multiple events, so I don't think the diff command will work since you have to statically define pos1 and pos2. I can use the dedup command to ensure that only the two most recent events for each host are present in the search results, but I don't know how to compare the contents of the multi-value dest_port field by dest_ip. Thanks! Craig ... View more

Let's say I have a table that looks like the following: Date Host Port 1/1/2011 HostA 80 1/2/2011 HostA 80 1/3/2011 HostA 80 1/1/2011 HostB 443 1/2/2011 HostB 443 1/3/2011 HostB 443 How do I filter my table so that only the two most recent events for each host/port combination is displayed? Thx. Craig ... View more

Is it possible to make a lookup run only when the value of a field is null or some other value? Thx. Craig ... View more

I have events that have two multivalue fields, field1 and field2. They look like this: Field1 Field2 12345 12345 23456 34567 45678 45678 How do I combine those fields to get all of the unique values from both of them into a single multivalue field? The result I want is: Field3 12345 23455 34567 45678 Thanks. Craig ... View more

I've created a lookup table that has three fields, nessus_id,osvdb_id,cve_id. The osvdb_id and cve_id fields are multivalued, delimited by a ",". So, the contents of a multivalued cve_id field in lookup table might look like: 2010-0002,2009-4583,2008-8732 I have an event that has a single value for the cve_id field. If that event has a cve_id=2009-4583 and I run a lookup on that table with an input value of cve_id and an output value of nessus_id,osvdb_id, will that lookup return the values in the table for those fields? If Splunk can run lookups on tables with multivalued fields, how do you deal with the delimter? Thx. Craig ... View more

I'm trying to monitor the registry and filter on a few critical keys. When I look at the events, I'm seeing events from outside the keys specified in my filters. Not sure what the problem is... Here is my sysmon.conf: [RegistryMonitor] filter_file_name = regmon-filters event_types = set.<em>|create.</em>|delete.<em>|rename.</em> inclusive = 0 disabled = 0 Here is my regmon-filters.conf: [Run] proc = .* hive = \REGISTRY\MACHINE\SOFTWARE\MICROSOT\WINDOWS\CurrentVersion\Run\.* type = set|create|delete|rename baseline = 0 disabled = 0 [RunOnce] proc = .* hive = \REGISTRY\MACHINE\SOFTWARE\MICROSOT\WINDOWS\CurrentVersion\RunOnce\.* type = set|create|delete|rename baseline = 0 disabled = 0 [RunOnceEx] proc = .* hive = \REGISTRY\MACHINE\SOFTWARE\MICROSOT\WINDOWS\CurrentVersion\RunOnceEx\.* type = set|create|delete|rename baseline = 0 disabled = 0 [User-Shell-Folders] proc = .* hive = \REGISTRY\MACHINE\SOFTWARE\MICROSOT\WINDOWS\CurrentVersion\Explorer\User Shell Folders\.* type = set|create|delete|rename baseline = 0 disabled = 0 [Shell-Folders] proc = .* hive = \REGISTRY\MACHINE\SOFTWARE\MICROSOT\WINDOWS\CurrentVersion\Explorer\Shell Folders\Startup\.* type = set|create|delete|rename baseline = 0 disabled = 0 [ShellExecuteHooks] proc = .* hive = \REGISTRY\MACHINE\SOFTWARE\MICROSOT\WINDOWS\CurrentVersion\Explorer\ShellExecuteHooks\.* type = set|create|delete|rename baseline = 0 disabled = 0 [SharedTaskScheduler] proc = .* hive = \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\.* type = set|create|delete|rename baseline = 0 disabled = 0 [ShellServicewObjectDelayLoad] proc = .* hive = \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\.* type = set|create|delete|rename baseline = 0 disabled = 0 [arpcache] proc = .* hive = \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\app management\arpcache\.* type = set|create|delete|rename baseline = 0 disabled = 0 [shellopencommand] proc = .* \REGISTRY\MACHINE\Software\CLASSES\.<em>\shell\open\command\.</em> type = set|create|delete|rename baseline = 0 disabled = 0 [ExplorerRun] proc = .* \REGISTRY\MACHINE\SOFTWAREMICROSOFT\Windows\CurrentVersion\policies\Explorer\Run\.* type = set|create|delete|rename baseline = 0 disabled = 0 Thanks for any help! Craig ... View more

I'm gathering the _internal index from several hundred remote hosts, but the only events I want to collect centrally are warnings and errors. Is it possible to filter what events get forwarded to the central indexer? Thx. Craig ... View more

I am trying to create a field extraction for events where a plugin_id field matches a range of numbers. This search returns all of the events that I want: sourcetype=ossim "Event received" ((plugin_id>=1001 AND plugin_id<=1131) NOT plugin_id=1002)) Here is the regex to extract the signature_id from the events. If I hard-code the plugin_id in the regex, the extraction works. If I try and use the numeric ranges listed below, it fails: EXTRACT-snort_signature (?i) plugin_id="10[0-9][0-9]|11[0-2][0-9]|113[0-1]".*log="\s*(?P<snort_signature>[^,]+) Why isn't this extracting the signature properly? Thanks. Craig ... View more

Here is my transforms.conf for the lookup table in question: [ossim_plugins] filename = ossim_plugins.csv max_matches = 1 Here is an example of one of the searches that references the lookup table: search = sourcetype=ossim "Event received" NOT ((plugin_id>=1001 AND plugin_id<=1131) OR plugin_id=1597) | lookup ossim_plugins plugin_id OUTPUT plugin_name | timechart count by plugin_name But Splunk is occasionally throwing the following error: The lookup table 'ossim_plugins' does not exist. It is referenced by configuration 'ossim_plugins'. The lookup table ossim_plugins.csv is located in the lookups directory of the app that the searches and dashboards are defined in. Any ideas? Thx. ... View more

I am trying to parse a bunch of Nessus vulnerability plugin files and extract the CVE and OSVDB reference IDs from each file. Each file is treated as a single event. The format of the data is different for each plugin (probably because they were written by different people). Here are some samples: script_cve_id("CVE-2010-4344"); script_cve_id("CVE-2010-3766", "CVE-2010-3767", "CVE-2010-3768", "CVE-2010-3770", "CVE-2010-3771", "CVE-2010-3772", "CVE-2010-3773", "CVE-2010-3774", "CVE-2010-3775", "CVE-2010-3776", "CVE-2010-3777", "CVE-2010-3778"); script_cve_id( "CVE-2010-3512", "CVE-2010-3514", "CVE-2010-3544", "CVE-2010-3545" ); I've tried the following transforms to capture the events, but only a single CVE ID is showing up for each one: [nessus_plugins_cve] REGEX = (?mi)script_cve_id\(\s*"CVE-(?P<cve_id>\d+-\d+)(?=",*) FORMAT = cve_id::$1 MV_ADD = true Why isn't my regex capturing more than one CVE reference? Thx. Craig ... View more

I need to create an outputlookup file with more than 10,000 results. I've looked through the limits.conf examples and I can't find a way to increase the number of results beyond 10K. Is this possible? Craig ... View more

I'm trying to create a dashboard that will add vulnerability data from OSVDB to the results of a Nessus scan. I've created a lookup table from the content of the Nessus plugins that is like the following: Nessus_ID,nessus_plugin_name,cve_id,osvdb_id 1,Buffer Exploit,2009-0142,, 2,Memory Overflow,,56314 3,Remote Exploit,2008-3456,34578 Some Nessus plugins only have a CVE reference. Others only have OSVDB. Some have both. Is it possible to do a lookup that will match on either cve_id, osvdb_id or both (if both are present)? Thanks. Craig ... View more

I'm working with Nessus vulnerability scanner results such as the following: results|192.168.1|192.168.1.100|general/tcp|19506|Security Note|\nSynopsis :\n\nInformation about the Nessus scan.\n\nDescription :\n\nThis script displays, for each tested host, information about the scan itself:\n\n - The version of the plugin set\n - The type of plugin feed (HomeFeed or ProfessionalFeed)\n - The version of the Nessus Engine\n - The port scanner(s) used\n - The port range scanned\n - The date of the scan\n - The duration of the scan\n - The number of hosts scanned in parallel\n - The number of checks done in parallel\n\nSolution :\n\nn/a\n\nRisk factor :\n\nNone\n\nPlugin output :\n\nInformation about this scan : \n\nNessus version : 4.4.0 (Build 15045)\nPlugin feed version : 201012101834\nType of plugin feed : HomeFeed (Non-commercial use only)\nScanner IP : 192.168.1.100\nPort scanner(s) : nessus_syn_scanner \nPort range : default\nThorough tests : no\nExperimental tests : no\nParanoia level : 1\nReport Verbosity : 1\nSafe checks : yes\nOptimize the test : yes\nCGI scanning : disabled\nWeb application tests : disabled\nMax hosts : 20\nMax checks : 4\nRecv timeout : 5\nBackports : None\nScan Start Date : 2010/12/11 13:14\nScan duration : 246 sec\n\n I want those \n characters to be treated as a new line. I tried the following in transforms.conf and it didn't work: [nessus] MAX_EVENTS = 1 SEDCMD-carriage_return = /s\\n/\n Is it possible for SED to replace a character with a special character? Thx. Craig ... View more

I have a search that will generate one or more fields that contain a URL. Is it possible to click on the URL and have it open a browser rather than populating the search window with the URL? Thx. ... View more

I am experimenting with some searches that will need to do lookups on some fairly big tables (30 MB or more). I'm wondering whether it will be faster for Splunk to do a single lookup on a really large table or if I should just chain together several lookups on smaller tables. And I'm curious how big a table can get before it should be broken down into smaller sequential lookups (if ever). Thx. ... View more

Assume I have an event with the following field: Name="Microsoft Office Outlook MUI (English) 2007" Assume I have a lookup table as follows: Vendor,Product,Version Microsoft Corporation,Outlook,2007 SP1 If the Name field does not consistently adhere to the format of the lookup table, is it possible to do a lookup that would do a partial match against the fields of the lookup table? So if the Name field contains Microsoft, Outlook, and 2007 it would match? Thx. Craig ... View more