This is great, except it is dropping the peripheral data in my real search due to the use of stats to recreate the multivalue field. Do you know how to recreate the field without the use of stats? ... View more

I do not have the ability to search _indexes, so I adapted your solution to my makeresults method like this: | makeresults | eval test="Linked to Historical Cyber Exploit,1;Historically Linked to Malware,1;Historically Linked to Penetration Testing Tools,1;Exploited in the Wild by Recently Active Malware,5" | eval test2="Linked to Historical Cyber Exploit,1;Historically Linked to Malware,2;Historically Linked to Penetration Testing Tools,1;Exploited in the Wild by Recently Active Malware,4" | eval test3= "Linked to Historical Cyber Exploit,1;Historically Linked to Malware,4;Historically Linked to Penetration Testing Tools,1;Exploited in the Wild by Recently Active Malware,4" | eval test4="Linked to Historical Cyber Exploit,2;Historically Linked to Malware,2;Historically Linked to Penetration Testing Tools,2" | table test* | transpose | table "row 1" | rename "row 1" as data | makemv delim=";" data | mvexpand data | rename data as _raw | rename COMMENT as "this is sample. from here, the logic." | rex "(?<num>\d+$)" | eventstats max(num) as max_num | stats values(eval(if(like(_raw,"%".max_num),_raw,NULL))) as result This solution identifies one field with the highest value, but does not return the value for each field. I should have updated my desired results, because my original description is incomplete. The results I would like to get from this dataset would look similar to this: The problem I am facing now is the proposed solutions to recreate the multivalue field use stats which drops the other fields in my data that I didn't include in the example.  ... View more

This returns the field values great, but as separate events. Do you know how to pull them back together as a mv field?  ... View more

I tried to use this process but couldn't get it to work. I've added some SPL to emulate my data, can you give it another look? ... View more

This is only returning one result out of all my events. I added some SPL to emulate my data, can you take another look? ... View more

I figured out a way to use makeresults to emulate my data, its ugly. If there is a better way to do it, I would love to hear that too!  | makeresults | eval test="Linked to Historical Cyber Exploit,1;Historically Linked to Malware,1;Historically Linked to Penetration Testing Tools,1;Exploited in the Wild by Recently Active Malware,5" | eval test2="Linked to Historical Cyber Exploit,1;Historically Linked to Malware,2;Historically Linked to Penetration Testing Tools,1;Exploited in the Wild by Recently Active Malware,4" | eval test3= "Linked to Historical Cyber Exploit,1;Historically Linked to Malware,4;Historically Linked to Penetration Testing Tools,1;Exploited in the Wild by Recently Active Malware,4" | eval test4="Linked to Historical Cyber Exploit,2;Historically Linked to Malware,2;Historically Linked to Penetration Testing Tools,2" | table test* | transpose | table "row 1" | rename "row 1" as data | makemv delim=";" data ... View more

try this: index=aaa | fields appid | join type=outer | [search |inputlookup yourfile.csv ] ... View more

If I understand your question, this is a syslog-ng configuration question. "Why is syslog-ng splitting my events that I forward from Splunk?" Am I understanding the issue correctly? ... View more

I took a second look at the Cisco documentation for these two ASA messages and decided to move my earlier answer to a comment. My new answer is, I believe the parsing aligns with Cisco's documentation for the messages. re: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs3.html#con_4770749 AND: https://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/firewall/asa_91_firewall_config/inspect_basic.html#10154 I think what looks like a bad parsing is actually due to the way the ASA is building and tearing down the connections based on the traffic flow/firewall rules. I suspect the 'deny' is on the outside interface of the firewall and as such the connection between the inside and outside is built. In the message %ASA-6-302015 the firewall builds an outbound connection from the internal server to the Google DNS server (8.8.8.8) because a DNS query was issued by the internal server which is configured to use Google DNS. In %ASA-6-302016 we see the connection get torn down from the DNS server to the internal server because DNS Inspect, which is enabled by default, automatically tears down these connections as soon as a response is sent back from the DNS server. So from the outside to the inside. So, the ASA establishes the connection from the inside out and tears it down from the outside in, thus the apparent flip-flop of the src_ip in the two messages. ... View more

So every event has the startDate and EndDate and the var(value)? If that is correct and the x axis is the time line of start to end date, what time would you use in the event to place the var(value) on the timeline? ... View more

Exclude the site you do not wish to include in the results by setting "NOT url=tcp://edge-chat.facebook.com" and remove tcp:// by stripping it with replace "| replace tcp://* WITH * IN url" index=sec_proxy_web sourcetype="bluecoat:proxysg:access:syslog" NOT url=tcp://edge-chat.facebook.com |replace tcp://* WITH * IN url ... View more

I do not see the same behavior in our environment. We are using the Cisco ASA add-on (https://splunkbase.splunk.com/app/1620/) to parse the fields. I would suggest using this add-on if you are not. ... View more

Perhaps you should consider using Windows Event Forwarding to a local server (https://docs.microsoft.com/en-us/advanced-threat-analytics/configure-event-collection) and use a Splunk forwarder to send the logs to your Splunk instance. To meet your need to send the logs off-hours, write a powershell script to enable/disable splunkd as required to meet your transmission requirements. ... View more

If you would like to stay with regex I think this will get it for you: | regex message != "[iI]tem" ... View more

An alternative to installing the PA app on an HF is to send data from the PA to syslog and use a UF on the syslog server to send to SplunkCloud. ... View more

I think this will work for you... Your_search | rex "[|:](?P<Status>\D\w{6,8})[| ]" | stats count by Status The caveat is the 'failure' messages would need to be non-digit and between 6&8 characters in length (otherwise adjust the regex). Careful modifying the length too much or it may introduce false positives. ... View more

That message means there is no group information in the assertion that matches with the configuration in Splunk. Do you know how to capture the SAML assertion using something like Chrome developer tools? If so, use https://www.samltool.com/decode.php to look at the SAML information and see what groups are being sent to Splunk. Make adjustments to either Splunk or user groups on IDP side to correct the issue. ... View more

It will add the desired column to your results. However your sample data uses 223/(ESME_ROK + ESME_RTHROTTLED) * 100 as the formula. If that is right the search should be... your_search | eval "THROTTLING %"=(223/(ESME_RTHROTTLED + ESME_ROK)*100) ... View more

Can you share details of how you are determining the delay is on the HF? Why are you using an HF on the syslog server? ... View more

Try this... index=foo sourcetype=bar | lookup keyword.csv keyword OUTPUT keyword AS Matched | stats count by Matched ... View more

The simple answer here is you need to find a path to the internet from these machines. If the data can't get to the internet, it can't reach SplunkCloud. If there is an egress point in another VPC to the internet or from your on-prem environment the data can get to SplunkCloud by installing the universal forwarder on the source machines and opening a path to the internet for these boxes to follow. If you can not have these boxes communicating directly out, perhaps you need to consider an intermediate tier of forwarders that have access to internal/AWS resources and can talk to the internet. Then your data sources can send the logs to the intermediate forwarder tier which can then send the data along to SplunkCloud. ... View more