Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About DanAlexander
DanAlexander
Communicator
Member since:
11-14-2021
01-21-2026
Community Statistics
| Posts | 120 |
| Solutions | 0 |
| Karma Given | 38 |
| Karma Received | 1 |
| Member Since | 11-14-2021 |
Activity Feed
- Posted SC4S vs “syslog servers tier” on Deployment Architecture. 09-03-2025 03:03 PM
- Posted Re: REGEX Requred on Getting Data In. 12-06-2024 04:56 AM
- Posted Re: REGEX Requred on Getting Data In. 12-06-2024 04:51 AM
- Got Karma for Re: REGEX Requred. 12-05-2024 08:41 AM
- Posted Re: REGEX Requred on Getting Data In. 12-05-2024 08:21 AM
- Posted REGEX Requred on Getting Data In. 12-05-2024 07:25 AM
- Posted Re: SEDCMD issues on Getting Data In. 11-30-2024 01:18 PM
- Posted SEDCMD issues on Getting Data In. 11-30-2024 03:09 AM
- Posted Re: SPLUNK Raw data reducing on Getting Data In. 11-27-2024 06:55 AM
- Karma Re: SPLUNK Raw data reducing for PickleRick. 11-27-2024 06:53 AM
- Karma Re: SPLUNK Raw data reducing for ITWhisperer. 11-27-2024 06:53 AM
- Posted Re: SPLUNK Raw data reducing on Getting Data In. 11-27-2024 06:52 AM
- Posted SPLUNK Raw data reducing on Getting Data In. 11-27-2024 04:46 AM
- Posted Re: trying to compare two sources and extract these ones that do not have SysMon on Splunk Search. 01-24-2024 02:12 PM
- Karma Re: trying to compare two sources and extract these ones that do not have SysMon for yuanliu. 01-24-2024 02:11 PM
- Posted Re: trying to compare two sources and extract these ones that do not have SysMon on Splunk Search. 01-23-2024 08:08 AM
- Posted Re: trying to compare two sources and extract these ones that do not have SysMon on Splunk Search. 01-22-2024 11:44 PM
- Posted Re: trying to compare two sources and extract these ones that do not have SysMon on Splunk Search. 01-22-2024 04:28 PM
- Posted Re: trying to compare two sources and extract these ones that do not have SysMon on Splunk Search. 01-22-2024 11:30 AM
- Posted Re: trying to compare two sources and extract these ones that do not have SysMon on Splunk Search. 01-22-2024 06:53 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
06-13-2023
04:20 AM
Hello community,
I am having an issue creating appropriate SEDCMD to reduce the size of specific Win events.
I am trying to extract only one random bit (could be anything) and through all the rest before they get indexed.
Below is the raw Event and wanted to drop (it is large). I just want a single word/line. I did try the following but it did nothing. Under the Splunk_TA_Windows local/props I did put something like [source::XmlWinEventLog:Security] SEDCMD-4688_splunkd_events_clearing=s/.\\Program Files\\.+\\splunkd\.exe//g
----------------------------------------------- Raw Event---------------------------------------------------
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid=' XXXXXXXX -4994-a5ba-3e3b0328c30d}'/><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2023-06-13T10:39:41.797279900Z'/><EventRecordID>12536409</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='15216'/><Channel>Security</Channel><Computer> XXXXXXXX </Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-5-18</Data><Data Name='SubjectUserName'>XXXXXXXX</Data><Data Name='SubjectDomainName'> XXXXXXXX </Data><Data Name='SubjectLogonId'>0 XXXXXXXX 7</Data><Data Name='NewProcessId'>0x2734</Data><Data Name='NewProcessName'>C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe</Data><Data Name='TokenElevationType'>%%1936</Data><Data Name='ProcessId'>0x17d4</Data><Data Name='CommandLine'></Data><Data Name='TargetUserSid'>S-1-0-0</Data><Data Name='TargetUserName'>-</Data><Data Name='TargetDomainName'>-</Data><Data Name='TargetLogonId'>0x0</Data><Data Name='ParentProcessName'>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe</Data><Data Name='MandatoryLabel'>XXXXXXXX -16384</Data></EventData></Event>
Caller_Domain = XXXXXXXX ller_User_Name = XXXXXXXX Channel = SecurityComputer = XXXXXXXX privEVentId = EventIDError_Code = -EventCode = 4688EventData_Xml = <Data Name='SubjectUserSid'> XXXXXXXX </Data><Data Name='SubjectUserName'> XXXXXXXX</Data><Data Name='SubjectDomainName'> XXXXXXXX </Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='NewProcessId'>0x2734</Data><Data Name='NewProcessName'>C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe</Data><Data Name='TokenElevationType'>%%1936</Data><Data Name='ProcessId'>0x17d4</Data><Data Name='CommandLine'></Data><Data Name='TargetUserSid'>S-1-0-0</Data><Data Name='TargetUserName'>-</Data><Data Name='TargetDomainName'>-</Data><Data Name='TargetLogonId'>0x0</Data><Data Name='ParentProcessName'>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe</Data><Data Name='MandatoryLabel'>S-1-16-16384</Data>EventID = 4688EventRecordID = 12 XXXXXXXXid = '{54849625-XXXXXXXX-a5ba-3e3b0328c30d}'Keywords = 0x8020000000000000Level = 0Logon_ID = 0x3e7MandatoryLabel = S-1-16-16384Name = 'Microsoft-Windows-Security-Auditing'NewProcessId = 0x2XXXXXXXX4NewProcessName = C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeOpcode = 0ParentProcessName = C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeProcessID = '4'ProcessId = 0x17d4RecordNumber = 12536409SubjectDomainName = XXXXXXXXbjectLogonId = 0x3e7SubjectUserName = XXXXXXXX= S-1-5-18SystemTime = XXXXXXXX:39:41.797279900Z'System_Props_Xml = <Provider Name='Microsoft-Windows-Security-Auditing' Guid='{XXXXXXXX4994-a5ba-3e3b0328c30d}'/><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2023-06-13T10XXXXXXXX/><EventRecordID>12536409</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='15216'/><Channel>Security</Channel><Computer>XXXXXXXX</Computer><Security/>TargetDomainName = -TargetLogonId = 0x0TargetUserName = -TargetUserSid = S-1-0-0Target_Domain = -Target_User_Name = -Task = 13312ThreadID = '15216'TokenElevationType = %%1936Token_Elevation_Type = %%1936Token_Elevation_Type_id = 1936Version = 2action = allowedapp = win:unknowndest = XXXXXXXX= XXXXXXXXcaracal01.greenstream.privdvc_nt_host = XXXXXXXXevent_id = 12536409eventtype = endpoint_services_processes eventtype = windows_endpoint_processes process report eventtype = windows_event_signature track_event_signatures eventtype = windows_process_new execute process start eventtype = wineventlog_security os windows eventtype = wineventlog_windows os windows eventtype = winsec securityhost = XXXXXXXXid = 12536409index = XXXXXXXXserverlinecount = 1name = A new process has been creatednew_process = C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exenew_process_id = 0x2734new_process_name = splunk-MonitorNoHandle.exeparent_process = C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeparent_process_id = 0x17d4parent_process_name = splunkd.exeparent_process_path = C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeprocess = C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeprocess_exec = splunk-MonitorNoHandle.exeprocess_id = 0XXXXXXXX4process_name = splunk-MonitorNoHandle.exeprocess_path = C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeproduct = Windowspunct = <_='://../////'><><_='---'_='{----}'/><></><></><>session_id = 0x3e7signature = A new process has been createdsignature_id = 4688source = XmlWinEventLog:Securitysourcetype = XmlWinEventLogsplunk_server = XXXXXXXX_nt_domain = XXXXXXXXsrc_user = XXXXXXXX$status = successsubject = A new process has been createdta_windows_action = failuretag = execute tag = os tag = process tag = report tag = security tag = start tag = track_event_signatures tag = windowsuser = XXXXXXXX$user_group = -vendor = Microsoftvendor_product = Microsoft Windows
Any help is much appreciated. Thank you All!
... View more
Labels
- Labels:
-
blacklist
-
props.conf
-
source
-
sourcetype
-
whitelist
06-08-2023
05:53 AM
Thanks again @ITWhisperer I just wanted to confirm that this is going to be the result after applying SEDCMD remove_unwanted_parts_from_raw_event=s/.*\[(?<action>action:\"[^\"]+\").+(?<origin>origin:\"[^\"]+\").+(?<dst>dst:\"[^\"]+\").+(?<layer_name>layer_name:\"[^\"]+\").+(?<src>src:\"[^\"]+\").*/\1 \2 \3 \4 \5/g action:"Accept" origin:"000.000.000.000" dst:"000.000.000.000" layer_name:" XXXXXXXX " src:"000.000.000.000" I just wanted to make sure the regex will extract the values I want to keep (above) and all the rest will be dropped before it gets indexed on the indexers and not the other way around? Thank you!
... View more
06-08-2023
05:12 AM
I get this now. Thank you @PickleRick I might create separate SEDCMD entries to avoid confusion and keep it simple?
... View more
06-08-2023
04:58 AM
Thanks for the reply @PickleRick "3. Testing using regex SPL commands might lead to confusion sometimes since you have to escape your regex to "fit" into a string." Would it be possible to provide any practical examples, please? Apologies, I cannot fully understand. Thank you!
... View more
06-08-2023
04:52 AM
Thanks for your reply @ITWhisperer Unfortunately, it gives me an error Unknown search command `db` after I run the following: | makeresults | eval _raw = "[meta sequenceId="-2077347367"]10000 - [action:"Accept"; conn_direction:"Internal"; flags:"dd06212"; ifdir:"inbound"; ifname:"bond3.32"; logid:"0"; loguid:"{ 000.000.000.000}"; origin:"000.000.000.000"; originsicname:"CN=XXXXXXXX,O= XXXXXXXX. XXXXXXXX.q7vvv"; sequencenum:"1457"; time:"1686217674"; version:"5"; __policy_id_tag:"product=cccccccc-1[db_tag={ XXXXXXXX-8ED31 XXXXXXXX };mgmt= XXXXXXXX xxx1;date=168XXXXXXXX;policy_name=XXXXXXXX-1\]"; dst:"000.000.000.000"; log_delay:"168XXXXXXXX "; layer_name:" XXXXXXXX "; layer_name:" XXXXXXXX "; layer_uuid:" XXXXXXXX -49d7-a207-a90ea5dd66fb"; layer_uuid:"cdc569c2-d869- XXXXXXXX "; match_id:"14x"; match_id:"50331649"; parent_rule:"0"; parent_rule:"0"; rule_action:"Accept"; rule_action:"Accept"; rule_name:" XXXXXXXX Heartbeat -> Platfxxxx"; rule_name:" XXXXXXXX "; rule_uid:"211567a0-d33a- XXXXXXXX "; rule_uid:" XXXXXXXX -4bde-a9c0-3cbaefd188b6"; product:" XXXXXXXX "; proto:"6"; s_port:" XXXXXXXX "; service:"3002"; service_id:"xxxx-Control"; src:"000.000.000.000"]" | rex mode=sed "s/.*\[(?<action>action:\"[^\"]+\").+(?<origin>origin:\"[^\"]+\").+(?<dst>dst:\"[^\"]+\").+(?<layer_name>layer_name:\"[^\"]+\").+(?<src>src:\"[^\"]+\").*/\1 \2 \3 \4 \5/g" Would it be possible to provide all used to test, please? Thank you!
... View more
06-08-2023
03:53 AM
Hello clever people,
Would anyone be able to help me build a regex that would work on a SPL level e.g something like
| rex mode=sed field=_raw s/regex_example/g
I wanted to test the result first before I add to props on the indexers.
The below is the raw log and I would like to keep just the parts in bold all the rest should be dropped/cleared.
-----------------------------------------------------
[meta sequenceId="-2077347367"]10000 - [action:"Accept"; conn_direction:"Internal"; flags:"dd06212"; ifdir:"inbound"; ifname:"bond3.32"; logid:"0"; loguid:"{ 000.000.000.000}"; origin:"000.000.000.000"; originsicname:"CN=XXXXXXXX,O= XXXXXXXX. XXXXXXXX.q7vvv"; sequencenum:"1457"; time:"1686217674"; version:"5"; __policy_id_tag:"product=cccccccc-1[db_tag={ XXXXXXXX-8ED31 XXXXXXXX };mgmt= XXXXXXXX xxx1;date=168XXXXXXXX;policy_name=XXXXXXXX-1\]"; dst:"000.000.000.000"; log_delay:"168XXXXXXXX "; layer_name:" XXXXXXXX "; layer_name:" XXXXXXXX "; layer_uuid:" XXXXXXXX -49d7-a207-a90ea5dd66fb"; layer_uuid:"cdc569c2-d869- XXXXXXXX "; match_id:"14x"; match_id:"50331649"; parent_rule:"0"; parent_rule:"0"; rule_action:"Accept"; rule_action:"Accept"; rule_name:" XXXXXXXX Heartbeat -> Platfxxxx"; rule_name:" XXXXXXXX "; rule_uid:"211567a0-d33a- XXXXXXXX "; rule_uid:" XXXXXXXX -4bde-a9c0-3cbaefd188b6"; product:" XXXXXXXX "; proto:"6"; s_port:" XXXXXXXX "; service:"3002"; service_id:"xxxx-Control"; src:"000.000.000.000"]
-----------------------------------------------
Thank you all in advance!
... View more
Labels
- Labels:
-
data
-
heavy forwarder
-
props.conf
-
transforms.conf
06-06-2023
01:59 AM
Hi, Thanks for the reply @isoutamo We are using these but wanted to see if I can change the limitations within the UI regards, Dan
... View more
06-06-2023
01:33 AM
Hello network,
I need help understanding how to increase the number of lines within the UI Field Extraction
For example, I have an event containing 38 lines and when sampling for applying regex while field extracting, it gives me visibility of 20 lines only, which prevents me of seen what I actually want to extract as a field.
I did check the ui-prefs.conf but not entirely sure if this is the right place to expand and maximize the window/workflow so I can see all lines and work with these.
Thank you
... View more
Labels
- Labels:
-
calculated field
-
field extraction
05-29-2023
01:18 PM
Hi @richgalloway Trust my message finds you well. I have implemented it as advised, but so far I cannot see a change within the structure of the raw event. I did put the regex in the TA app for Windows props.conf pushed the new bundle across all indexers, but still does not work. Shall I put it in the etc/system/local/props.conf on each indexer, as I think if I make a change in this directory on the cluster master, I would not be able to push the new bundle across all indexers (I might be wrong). Where am I going wrong? Abs no idea...
... View more
05-23-2023
12:10 PM
Hi, Thanks for your feedback @richgalloway Your help is much appreciated. No need to test to give kudos to people that cater for others. One last question please. Where can I get a comprehensive list of SEDCMD options (like stripFields) some samples may be helpful too. Kind regards, Dan
... View more
05-23-2023
12:34 AM
Hi @richgalloway Thanks for the reply. Here is the working pair regex/log (works according to regex101): \[action:"(?<Action>\w+)"|origin:"(?<Origin>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"|layer_name:"(?<Text>\w+)"|dst:"(?<dest>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"|src:"(?<Source>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" xxxxxxxx - [action:"Accept"; xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx origin:"10.181.11.111"; xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx dst:"192.168.22.9"; xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx src:"10.181.111.111"] I wanted to learn how to set up the configuration properly and then explore opportunities around where exactly this can be deployed either on a HF or on the Indexers. I heard that the Indexers can process the data before it gets indexed (I might be wrong just wanted to avoid an intermediate layer whenever possible), but first thing first. Thank you for your feedback so far. Looking forward to receiving further help. Regards, Dan
... View more
05-22-2023
06:00 AM
Hello network, Hope this message finds you All well. I have a challenge I would like to solve and I am sure with your help this can be done. Problem: The following scenario represents our desire to be able to index the highlighted data/kv pairs only and dropping all of the rest from the event sample PSB (please let us know if you would need the original regex and the obfuscated event sample). The regex properly selects what I would like to keep before the data gets indexed on the idexers (I learnt this can be done on the indexers not just on the Heavy Forwarder/s, which we would like to avoid in our forwarding topology approach). Unfortunately, we cannot do this via the Ingest Actions Ruleset UI on the Cluster Manager (it is designed to drop off the entire event matching a regex not particular parts of that event). Question: Is there a way we can use props and transforms or any other mechanism to govern the dropping of the unwanted parts from the event above, during the parsing phase and before the data gets indexed? Thank you!
... View more
Labels
- Labels:
-
props.conf
-
source
-
sourcetype
-
transforms.conf
05-10-2023
02:29 PM
@yeahnah thank you very much for trying to help. Your solution for sure works, but I am not advanced to implement it. Your help much appreciated!
... View more
05-10-2023
02:27 PM
@enzomialich thanks for the quick response. Yes, it all works. thank you very much! I needed a single reg expression to extract the parts of the raw log as I want to discard all the rest Kudos to you Sir!
... View more
05-10-2023
01:43 PM
Hi All, Can anyone help me create a regex to extract the bolded parts from the following _raw log, please? some text - [action:"Accept"; some text ; origin:"10.111.10.111"; some text]"; dst:"192.168.11.01"; some text684"; layer_name:"Some text"; layer_nsome text"; src:"192.168.81.62"] Thank you in advance!
... View more
Labels
- Labels:
-
field extraction
-
regex
-
rex
05-10-2023
09:39 AM
Hi All, Can anyone help me create a regex to extract the bolded parts from the following _raw log, please? meta sequenceId="182311942"]10000 - [action:"Accept"; ........; origin:"10.111.10.111"; originsicname:"CN=................610;policy_name=High_Trust-1\]"; dst:"192.168.11.01"; log_delay:"1683724684"; layer_name:"Some text"; layer_name:"High_Trust-1 Application"; layer_uuid:"426c8a................."StoneBeat-Control"; src:"192.168.81.62"] Thank you in advance!
... View more
Labels
- Labels:
-
field extraction
-
regex
-
rex
03-29-2023
01:45 PM
Hi @PickleRick and @gcusello Thank you for your feedback. I am aware that indexing on the HF will be reindexed on the IDx, I was thinking about temporarily enabling indexing in order to see variety of logs coming from the UFs. After applying all rules on logs to them disable indexing just enable parsing on the HF. I most probably do the changes via props and transforms and .will see how it goes. If I am successful I will share back. Thank you both.
... View more
03-26-2023
12:00 PM
Thanks @gcusello, I understand that unless we do not index on the HF we won't be able to see any logs passing the HF. As a work around can't we not temporarily enable indexAndParse on the outputs config to be able to make logs available on the HF for creating parsing rules and then disable it? Thanks
... View more
03-26-2023
08:26 AM
Hello Community,
Now that I have managed to map up the logs from my UF forwarding logs to the HF and then seeing it all landing well on the IDx.
My question is where I can see the passing raw logs on the HF? The main idea is that there will be no indexing done on the HF. The raw logs will be parsed and then send to the IDx for indexing.
I do not have an index where I can apply rules on logs. How to use the HF UI or anything like props and transforms? If the latter how can I know the format of the raw logs on the HF to be able to apply proper filter on?
Thanks All.
... View more
03-19-2023
01:14 PM
Hi @gcusello, Your time is much appreciated! Thank you very much, I am sure I can manage it after your feedback. Best regards, Dan
... View more
03-18-2023
03:49 PM
Hi @gcusello , Thanks for the reply. I wanted to ask, may I use the same connection mechanism of the indexers (I have 3 of them) [splunktcp-ssl] talking to the HF for the UF-->HF? The UFs can successfully talk to the indexers using [tcpout] and I have [splunktcp-ssl] on the IDx How can I make sure the connecting nodes using the correct password/certificates for the SSL connection. Any link helping with explanation on how to properly set up [splunktcp-ssl] will be really helpful. Where are those CA obtained from? I am not too familiar with the process... does this need to be paid for or is it included in the license I am paying for. Thank you!
... View more
03-17-2023
01:26 AM
Hello Community,
I am having issues connecting my Universal Forwarder with a Heavy Forwarder.
I have the following set up: UF-->HF-->IDx
I can see the logs from HF to IDx, but not sure why I cannot see logs from UF-->HF
The connection HF-->IDx is [splunktcp-ssl] whereas the connection UF-->HF is [tcpout]
My question is how to troubleshoot the broken connection? I read the UF logs but still cannot the issue.
Any help much appreciated.
Thank you All!
... View more
11-02-2022
01:57 AM
Hi all,
We have successfully registered and connected a new Azure Event Hub namespace via the 'Splunk Add-on for Microsoft Cloud Services' app which is on a dedicated Azure log collector machine, but not sure why we do not see them in Splunk SH although we have got an old one up and running.
Your help much appreciated!
Thank you all!
... View more
Labels
11-01-2022
06:38 AM
Hello @All,
I am using Splunk add-on for MS Cloud service to create a new EventHub.
I would like to ask how to make sure I have set it up properly. We have an old one which is up and running. The idea is to create a new namespace and run those in parallel to make sure all works before we shut down the old one. The New input was created successfully. However, still cannot see any new source.
Where am I going wrong? Do I need to manually create an entry within a config file?
Thank you all!
... View more
Labels
- Labels:
-
configuration
-
troubleshooting
09-13-2022
02:22 AM
Morning all,
I am new to Data Models and wanted some guidance of how I can enable some of the inactive ones. Is acceleration available after the Data Model is activated. I am confused with acceleration and how to enable a Data Model. I just want to enable our Endpoint Data Model as we are gaining logs from Universal Forwarder and Sysmon as well. Wanted to find some useful Endpoint use cases I can start using.
Any help much appreciated!
Thank you!
... View more
Labels
- Labels:
-
using Splunk Enterprise
- « Previous
- Next »
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
01-21-2026
06:39 AM
|
