About PCIIT

PCIIT · ‎01-10-2019

we have our own web security reporting APP . it is working fine with below regex. ^([^\_\-]+)\_([^\-]+)-(? [^-]+) ----> working fine but i have replaced with below regex which is not working ^([\w]+-)(? [\w]+[^-]+) -------> not working i have input field decision_list which is used for output field description here decision_list = DECR_WEB_7-webGroup-SH_Auth-DefaultGroup-NONE-NONE-DefaultGroup description = webGroup ---->expecting field description value so write regex expression but it is not working

PCIIT · ‎01-10-2019

Hello Sir , I am having issue with the Splunk App for Web data model... but not sure where the problem is. I have replaced regex in our data model .json file but it is not working. In our data model , we have some field (date, time , decision_list) and added Rex in expression like Rex: "expression": "^([\w]+-)(? [\w]+[^-]+)" but it is giving error " { "outputFields": [ { "fieldName": "Description", "owner": "Event", "type": "string", "required": false, "multivalue": false, "hidden": false, "editable": true, "displayName": "Description", "comment": "", "fieldSearch": "" } ], "inputField": "decision_list", "calculationID": "asdfassdfg", "owner": "Event", "editable": true, "comment": "", "calculationType": "Rex", "expression": " ^([\w]+-)(? [\w]+[^-]+)" }, when I am searching in Dashboard so facing Error in Dashboard : Error: "Error in 'PivotProcessor': Error in 'DataModelEvaluator': JSON for data model 'Web_Acc_Data' is invalid." This regex is working perfectly in regex editor. Someone has any clue?

PCIIT · ‎11-27-2018

we are using different-2 time format in our log. for example 1)11 Sep 2018 18:40:42 (GMT +0200) 2) Mon Sep 24 10:40:03 2018 will it work ?

PCIIT · ‎11-25-2018

I need to help writing the regex for date format with time zone. log format : 11 Sep 2018 18:40:42 (GMT +0200) Info: receive. regex : ^\d{2}\s\w{3}\s\d{4}\s(\d{2}:\d{2}:\d{2})\s\d{4}\s how to add (GMT +0200) in regex ======================================== Why am I not able to extract a field for this regex? I can see parsing is happening but I am unable to extract the field Log format: 11 Sep 2018 18:40:42 (GMT +0200) Info: Retrospective verdict received. SHA256: e989ecc7781f025c4ae73dc53953010e54828bf36d94a1e8db2e2254ba19eaa3 Timestamp: 1536684042.09 Verdict: MALICIOUS Reputation Score: 0 Spyname: W32.E989ECC778-95.SBX.TG REGEX : ^\d{2}\s\w{3}\s\d{4}\s(\d{2}:\d{2}:\d{2})\s$\w{3}\s\+\d{4}$\s([^:]+):\s{1,2}(Retrospective verdict received)\.\n(?:[^\,\:]+)\:\s([^\,\"]+)\n(?:[^\,\:]+)\:\s([^\,\"]+)\n(?:[^\,\:]+)\:\s([^\,\"]+)\n(?:[^\,\:]+)\:\s([^\,\"]+)\n(?:[^:]+):\s([^\s]+) Why am I not able to see a field extraction for this ?

PCIIT · ‎11-22-2018

I need help. I am unable to see the correct value after extracting a field with this regex. Why is the parser not extracting the correct value for the field we are using with the below log format : Mon Sep 24 10:40:03 2018 Info: Retrospective verdict received. SHA256: 3137893bc260c014974de84a Timestamp: 1537778403.1 Verdict: MALICIOUS Reputation Score: 0 Spyname: W32.3137893BC2-96.SBX.VIOC fields in our data model dvc_time log_level amp_verdict_type amp_sha_value _time verdict_type amp_score amp_Malware 3) wrote Regex in transforms.conf [acc_log] REGEX = ^\w{3}\s\w{3}\s\d{2}\s(\d{2}:\d{2}:\d{2})\s\d{4}\s(?:[^\s]+)\s{1,2}(Retrospective verdict received)\.\n(?:[^\,\:]+)\:\s([^\,\"]+)\n(?:[^\,\:]+)\:\s([^\,\"]+)\n(?:[^\,\:]+)\:\s([^\,\"]+)\n(?:[^\,\:]+)\:\s([^\,\"]+)\n(?:[^:]+):\s([^\s]+) FORMAT = dvc_time::$1 log_level::$2 amp_verdict_type::$3 amp_sha_value::$4 _time::$5 verdict_type::$6 amp_score::$7 amp_Malware::$8 4) props.conf [sourcetype] TRANSFORMS-set= setnull,setparsing REPORT-log = acc_log 5) i am not able to see the correct value for extracting a field. My regex is not working properly.

PCIIT · ‎11-13-2018

could you please suggest me ?what is correct value need to set ? [kv] maxchars = 20480 --->ok or need to set high value

PCIIT · ‎11-12-2018

what is maximum value for maxchars ?

PCIIT · ‎11-12-2018

i added in limit.conf [kv] maxchars = 10240 but still same issue

PCIIT · ‎11-12-2018

Hi All , We are using Splunk 6.6.6 version. Whenever we run a query with the log size of each event more than 10 KB in size, we are unable to parse it. We analyzed our search.log and found the following warnings. 11-12-2018 17:38:11.475 WARN SearchOperator:kv - date_hour is an indexed field, ignoring TOKENIZER 11-12-2018 17:38:11.475 WARN SearchOperator:kv - date_mday is an indexed field, ignoring TOKENIZER 11-12-2018 17:38:11.475 WARN SearchOperator:kv - date_minute is an indexed field, ignoring TOKENIZER 11-12-2018 17:38:11.475 WARN SearchOperator:kv - date_month is an indexed field, ignoring TOKENIZER 11-12-2018 17:38:11.475 WARN SearchOperator:kv - date_second is an indexed field, ignoring TOKENIZER 11-12-2018 17:38:11.475 WARN SearchOperator:kv - date_wday is an indexed field, ignoring TOKENIZER 11-12-2018 17:38:11.475 WARN SearchOperator:kv - date_year is an indexed field, ignoring TOKENIZER 11-12-2018 17:38:11.475 WARN SearchOperator:kv - date_zone is an indexed field, ignoring TOKENIZER 11-12-2018 17:38:11.475 WARN SearchOperator:kv - host is an indexed field, ignoring TOKENIZER 11-12-2018 17:38:11.475 WARN SearchOperator:kv - index is an indexed field, ignoring TOKENIZER 11-12-2018 17:38:11.475 WARN SearchOperator:kv - linecount is an indexed field, ignoring TOKENIZER 11-12-2018 17:38:11.475 WARN SearchOperator:kv - punct is an indexed field, ignoring TOKENIZER 11-12-2018 17:38:11.475 WARN SearchOperator:kv - source is an indexed field, ignoring TOKENIZER 11-12-2018 17:38:11.475 WARN SearchOperator:kv - sourcetype is an indexed field, ignoring TOKENIZER 11-12-2018 17:38:11.475 WARN SearchOperator:kv - splunk_server is an indexed field, ignoring TOKENIZER 11-12-2018 17:38:11.475 WARN SearchOperator:kv - splunk_server_group is an indexed field, ignoring TOKENIZER 11-12-2018 17:38:11.475 WARN SearchOperator:kv - timeendpos is an indexed field, ignoring TOKENIZER 11-12-2018 17:38:11.475 WARN SearchOperator:kv - timestartpos is an indexed field, ignoring TOKENIZER 11-12-2018 17:38:11.475 WARN SearchOperator:kv - buildRegexList provided empty conf key, ignoring. 11-12-2018 17:38:11.475 WARN SearchOperator:kv - date_hour is an indexed field, ignoring TOKENIZER 11-12-2018 17:38:11.475 WARN SearchOperator:kv - date_mday is an indexed field, ignoring TOKENIZER 11-12-2018 17:38:11.476 WARN SearchOperator:kv - date_minute is an indexed field, ignoring TOKENIZER 11-12-2018 17:38:11.476 WARN SearchOperator:kv - date_month is an indexed field, ignoring TOKENIZER 11-12-2018 17:38:11.476 WARN SearchOperator:kv - date_second is an indexed field, ignoring TOKENIZER 11-12-2018 17:38:11.476 WARN SearchOperator:kv - date_wday is an indexed field, ignoring TOKENIZER 11-12-2018 17:38:11.476 WARN SearchOperator:kv - date_year is an indexed field, ignoring TOKENIZER 11-12-2018 17:38:11.476 WARN SearchOperator:kv - date_zone is an indexed field, ignoring TOKENIZER 11-12-2018 17:38:11.476 WARN SearchOperator:kv - host is an indexed field, ignoring TOKENIZER 11-12-2018 17:38:11.476 WARN SearchOperator:kv - index is an indexed field, ignoring TOKENIZER 11-12-2018 17:38:11.476 WARN SearchOperator:kv - linecount is an indexed field, ignoring TOKENIZER 11-12-2018 17:38:11.476 WARN SearchOperator:kv - punct is an indexed field, ignoring TOKENIZER 11-12-2018 17:38:11.476 WARN SearchOperator:kv - source is an indexed field, ignoring TOKENIZER 11-12-2018 17:38:11.476 WARN SearchOperator:kv - sourcetype is an indexed field, ignoring TOKENIZER 11-12-2018 17:38:11.476 WARN SearchOperator:kv - splunk_server is an indexed field, ignoring TOKENIZER 11-12-2018 17:38:11.476 WARN SearchOperator:kv - splunk_server_group is an indexed field, ignoring TOKENIZER 11-12-2018 17:38:11.476 WARN SearchOperator:kv - timeendpos is an indexed field, ignoring TOKENIZER 11-12-2018 17:38:11.476 WARN SearchOperator:kv - timestartpos is an indexed field, ignoring TOKENIZER 11-12-2018 17:38:11.478 INFO UserManager - Unwound user context: admin -> NULL 11-12-2018 17:38:11.478 INFO UserManager - Unwound user context: admin -> NULL 11-12-2018 17:38:11.478 INFO UserManager - Unwound user context: admin -> NULL 11-12-2018 17:38:11.478 INFO UserManager - Unwound user context: admin -> NULL 11-12-2018 17:38:11.479 INFO UserManager - Unwound user context: admin -> NULL 11-12-2018 17:38:11.479 INFO UserManager - Unwound user context: admin -> NULL 11-12-2018 17:38:11.480 INFO UserManager - Unwound user context: admin -> NULL

PCIIT · ‎10-07-2018

Hi , we have one field Score which contain floating poiint value(score) score -9.5 -9.4 -9.3 -9.0 -8.9 -8.7 -7.9 -7.8 -7.7 -7.6 -7.4 -7.2 -7.1 -7.0 -6.9 -6.6 -5.9 -5.8 -5.7 -5.5 -5.3 -5.0 -4.9 -4.8 -4.7 -4.5 -4.4 -4.3 -4.2 -4.1 -4.0 -3.9 -3.8 -3.7 -3.4 -3.2 -3.0 -2.8 -2.7 -2.5 -2.4 -2.3 -2.1 -1.9 -1.8 I wrote splunk query like FILTER score >= -10 FILTER score <= -7 SPLITROW score output : -6.9 -6.6 -5.9 -5.8 -5.7 -5.5 -5.3 -5.0 -4.9 -4.8 -4.7 -4.5 -4.4 -4.3 -4.2 -4.1 -4.0 -3.9 -3.8 -3.7 -3.4 -3.2 -3.0 -2.8 -2.7 -2.5 -2.4 -2.3 -2.1 score is not displaying proper value for negative number as I have set range between -10 to -7

Posts	10
Solutions	0
Karma Given	0
Karma Received	0
Member Since	‎10-07-2018

Online Status	Offline
Date Last Visited	‎06-05-2020 02:04 AM

Issue: I haved added rex in our web data model ...

How do I write a regex for a date with the time zo...

After building a regex for transforms.conf and pro...

Why am I unable to parse logs that are bigger than...

issue : splunk query is not displying correct resu...

Re: Issue: I haved added rex in our web data mo...

Issue: I haved added rex in our web data model ...

Re: How do I write a regex for a date with the tim...

How do I write a regex for a date with the time zo...

After building a regex for transforms.conf and pro...

Re: Why am I unable to parse logs that are bigger ...

Re: Why am I unable to parse logs that are bigger ...

Re: Why am I unable to parse logs that are bigger ...

Why am I unable to parse logs that are bigger than...

issue : splunk query is not displying correct resu...