Hello we've been advised to "Disable the ability to process ANSI escape codes in terminal applications" and I honestly don't know what that really means and can't find much guidance around that. It wouldn't be something we actively use but I just don't know if that's enabled by default or not. Can someone help me figure out how to ensure this is disabled? We have a simple standalone environment with data just coming in from universal forwarders reading local logs. Thanks in advance, Felix ... View more

I have some powershell scripts scheduled on a windows server and want to track their memory and cpu utilization. And I do have a working solution, but I just wondered what's the best practice here. So I created a WMI input for Win32_process, which has the "CommandLine" for each powershell.exe instance, and that includes the script name. But out of the box, Splunk cuts off that CommandLine field at the first space. I guess my question is, if there are any props.conf options (or in any other configuration) to let it read that full "line" and not stop at the spaces. It seems to be clever enough to read the WMI feed in a way where it puts each field=value into one line in the _raw data. The server in question has a universal forwarder installed. And that has an app with the wmi.conf in it: [WMI:powershell.exe] index = perfmon disabled = 0 interval = 60 wql = SELECT CommandLine, ProcessId, WorkingSetSize, KernelModeTime, UserModeTime from Win32_process WHERE Name = 'powershell.exe' And on the indexer, the sourcetype is configured in the props.conf like this: [WMI:powershell.exe] FIELDALIAS-dest_for_perfmon = host AS dest FIELDALIAS-src_for_perfmon = host AS src LINE_BREAKER = ([\r\n]+) NO_BINARY_CHECK = true category = Custom disabled = false In the end, my goal is to get that script name, so I just added a field extraction for that EXTRACT-ScriptName = CommandLine=powershell.exe+\s+\-command+\s+"&\s+'*(?P<ScriptName>[^("|')]+) Is that the best way of doing it? ... View more

Hey - I'm taking my first steps on extracting fields with RegEx and can't seem to get this one working .. any help would be appriciated The events look like this: 12/10/2019 07:40:23 AM LogName=ARAdminService SourceName=ARAdminSvc EventCode=1521 EventType=4 Type=Information ComputerName=wmidcars73.idexcorpnet.com User=NOT_TRANSLATED Sid=S-1-5-21-2094280246-649338158-1033845588-46148 SidType=0 TaskCategory=ScheduledTask OpCode=Info RecordNumber=11331718 Keywords=Classic Message=Scheduled task has reported an event. Task ID: 089546a0-3a4b-4b66-9e4e-43bc9a1f48a6 Object name: Exo-Process-Changes Start date: 12/10/2019 Start time: 7:40:00 AM Script module: Exo-Process-Changes Task execution was completed And want to get that very last line, and put it in a "task_status" field. This is my RegEx (well.. one of 20 I tried) Script module: .*[\n\s\r]*(?<task_status>[^\n\r]*) So I'm basically looking for that "Script module:" line, and want to take the next line that comes after the line breaks and white spaces. I used a similar, yet more complex RegEx to extract multiple fields from a different event log, and that worked fine. So I don't get what's wrong with this one. Just using the field extractor wizard would be great, too, but it seems that my events are longer (line count) than the field extractor can work with. Thanks in advance ... View more