Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About joemiller
joemiller
Path Finder
Member since:
10-12-2018
01-18-2023
Community Statistics
| Posts | 17 |
| Solutions | 0 |
| Karma Given | 6 |
| Karma Received | 0 |
| Member Since | 10-12-2018 |
Activity Feed
- Posted Re: Data from a particular source is extracted in duplicate when searched from "Searching and reporting" on Getting Data In. 01-18-2023 11:28 AM
- Karma Re: Data from a particular source is extracted in duplicate when searched from "Searching and reporting" for yeahnah. 01-18-2023 11:25 AM
- Posted Re: Data from a particular source is extracted in duplicate when searched from "Searching and reporting" on Getting Data In. 01-17-2023 07:35 PM
- Posted Data from a particular source is extracted in duplicate when searched from "Searching and reporting"? on Getting Data In. 01-17-2023 06:47 PM
- Karma Re: Pulling new fields out of nested JSON data for ITWhisperer. 04-15-2021 04:29 PM
- Karma Re: Pulling new fields out of nested JSON data for ITWhisperer. 04-15-2021 04:29 PM
- Posted Re: Pulling new fields out of nested JSON data on Splunk Search. 04-15-2021 04:28 PM
- Posted Re: Pulling new fields out of nested JSON data on Splunk Search. 04-15-2021 03:32 PM
- Posted Re: Pulling new fields out of nested JSON data on Splunk Search. 04-15-2021 02:50 PM
- Posted Pulling new fields out of nested JSON data on Splunk Search. 04-15-2021 12:35 PM
- Karma Re: What should be the proper Unix permissions for files in a locally-written app in $SPLUNK_HOME/etc/apps? for jkat54. 03-19-2021 12:14 PM
- Karma What should be the proper Unix permissions for files in a locally-written app in $SPLUNK_HOME/etc/apps? for vinceskahan. 03-19-2021 12:13 PM
- Karma Re: How do you extract key/value pairs when the data is verbose and sometimes inconsistent? for kamlesh_vaghela. 06-05-2020 12:50 AM
- Posted Re: How to efficiently check for missing data? on Knowledge Management. 01-30-2020 03:02 PM
- Posted Re: How to efficiently check for missing data? on Knowledge Management. 01-30-2020 09:53 AM
- Posted Re: How to efficiently check for missing data? on Knowledge Management. 01-29-2020 11:35 PM
- Posted Re: How to efficiently check for missing data? on Knowledge Management. 01-29-2020 10:56 PM
- Posted How to efficiently check for missing data? on Knowledge Management. 01-29-2020 10:26 AM
- Tagged How to efficiently check for missing data? on Knowledge Management. 01-29-2020 10:26 AM
- Tagged How to efficiently check for missing data? on Knowledge Management. 01-29-2020 10:26 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
01-18-2023
11:28 AM
Thank you! Argh, so the permissions setting on the app was the reason why my changes weren't taking effect. Thanks for clearing that up for me. And that's confusing about the INDEXED_EXTRACTION not being able to be modified from the local props.conf. I understand why search time extraction mightbe preferable, but I don't want to create a setup that will break when there's an app update either.
... View more
01-17-2023
07:35 PM
Update: despite the btool not showing anything relevant in SPLUNK/etc/apps/search/local/props.conf, I added the following lines to that file: [source::duo]
AUTO_KV_JSON = false
KV_MODE = none and this seems to have fixed my problem. So now my question is why? Why weren't the lines in SPLUNK/etc/apps/duo_splunkapp/default/props.conf and (duo_splunkapp/local/props.conf) taking effect even though there were no contradicting lines in a conf file with greater precedence?
... View more
01-17-2023
06:47 PM
This is a single server Splunk deployment. I am indexing Duo MFA logs using the official splunk app. In the "Searching and reporting" app, when I use the table command to view that data, each field is a multivalue field with the value duplicated. When I try the same search using the Duo app instead of "Searching and reporting", the fields are extracted only once as expected, not duplicated. For example...
When I use the table command on this data in "Searching and reporting":
email
user@example.com
user@example.com
When I use the table command on this data in the "Duo" app:
email
user@example.com
So this problem appears to be limited to the "Searching and reporting" app. But I'm not finding any configuration specific to "Searching and reporting" related to this app/source. For example, there is nothing in SPLUNK/etc/apps/search/local/ props.conf or transforms.conf that would affect this source.
The current configuration according to the btool is coming from SPLUNK/etc/apps/duo_splunkapp/default/props.conf and is:
[source::duo]
INDEXED_EXTRACTIONS = json
KV_MODE = none
I also tried changing the config to this:
INDEXED_EXTRACTIONS = none
AUTO_KV_JSON = true
KV_MODE = json
but that just resulted in neither the "Searching and reporting" app nor the "Duo" app having extractions for this data. How do I fix this so the "Searching and reporting" app has a single set of extractions and not duplicates?
... View more
Labels
- Labels:
-
field extraction
04-15-2021
03:32 PM
Oh actually, should there be a command towards the end to "undo" the mvexpand? It looks like I still have separate events for each object..
... View more
04-15-2021
02:50 PM
Thank you very much! This is exactly what I was looking for. Worked perfectly. I did have to add a pair of curly brackets to the end of the path parameter in your first line, e.g.: | spath path=properties.appliedConditionalAccessPolicies{} output=appliedConditionalAccessPolicies Anyways, I really appreciate the quick answer and the detailed explanation! Marking this as the answer.
... View more
04-15-2021
12:35 PM
Looking at the example field below (part of a JSON event), I'm trying to figure out how at search time to pair up the corresponding values of properties.appliedConditionalAccessPolicies{}.displayName fields and properties.appliedConditionalAccessPolicies{}.result fields into new field/value pairs for each event (note that there can be multiple pairs per event - two in this example). So for example, in the event below, I would want to add two new field/value pairs to the event: Require_Duo_MFA=success Scammer_Blocked_IP_Addresses=notApplied Any ideas how to approach that? appliedConditionalAccessPolicies: [ [-]
{ [-]
conditionsNotSatisfied: 0
conditionsSatisfied: 3
displayName: Require Duo MFA
enforcedGrantControls: [ [+]
]
enforcedSessionControls: [ [+]
]
id: 11111111-1111-1111-1111-111111111111
result: success
}
{ [-]
conditionsNotSatisfied: 8
conditionsSatisfied: 3
displayName: Scammer Blocked IP Addresses
enforcedGrantControls: [ [+]
]
enforcedSessionControls: [ [+]
]
id: 22222222-2222-2222-2222-222222222222
result: notApplied
}
]
... View more
Labels
- Labels:
-
field extraction
01-30-2020
03:02 PM
If I do:
index=aws sourcetype=cloudtrail
The results can include events with
aws_account_id=123
aws_account_id=456
aws_account_id=789
So if aws_account_id=789 stops sending logs to splunk, now those events are missing. So if I do search: index=aws sourcetype=cloudtrail aws_account_id=789 I can alert when there are zero matches, and this works good, it will continue to send alerts until the missing data problem is fixed. The problem is I would need to do this for every aws_account_id value.
If I do your suggestion, the alerts will stop after the latest event from the missing aws_account_id value is outside the time range of the search. But I don't want the alerts to stop until the problem is fixed.
... View more
01-30-2020
09:53 AM
Not sure what you mean by that?
... View more
01-29-2020
11:35 PM
I have the alert running once per hour, and the search time frame as "last 4 hours". This way, the results include any events in the last 4 hours where the timestamp is more than one hour old (specifically, more than one hour old, and less than four hours old).
If you set the time frame also to one hour, this search would produce no results at all (because there are no events with a timestamp more than one hour old if you're only looking at a time frame of last one hour).
... View more
01-29-2020
10:56 PM
Thanks for answering! I don't see how this would solve the problem? To be a more specific, let's say I have the search:
index=aws sourcetype=cloudtrail | stats latest(_time) as latest by aws_account_id | where latest < relative_time(now(), "-1h")
with the time frame set to "Last 4 hours". And let's say I have the alert set to run once per hour. This will tell me if any aws_account_id that was previously sending data has not sent data in the last hour, and it will continue sending that alert once per hour, until the latest event received is more than 4 hours old. Then it will stop alerting, even if the problem of missing data continues. My question is how to make this search continue alerting until the data resumes logging.
... View more
01-29-2020
10:26 AM
We have been running alerts that periodically check various sourcetypes and notify us if there are zero events found in order to find out if something has broken with logging or indexing and we are missing data. I'm going to set this up for some AWS logs (e.g. CloudTrail) which we are collecting for multiple (10+) AWS accounts.
The goal is to be alerted if for example CloudTrail logs are missing for ANY one of the 10+ AWS accounts we're monitoring. I'm aware of two approaches that would work, but each with pros/cons. I wonder if somebody has a suggestion that combines the pros of both of these approaches and avoids the cons.
I. Use one saved alert to search all of the AWS accounts, e.g.:
index=aws sourcetype=cloudtrail
| stats latest(_time) as latest by aws_account_id
| where latest < relative_time(now(), "-1h")
And alert when there ARE results for this.
Pros: only one search/alert needed, only get one alert message covering all accounts with missing data (if more than one)
Cons: only works during the time range of the search (if the problem continues beyond the time range of the search, we'll just stop hearing about it)
II. Use one saved alert for each AWS account, e.g.
index=aws sourcetype=cloudtrail aws_account_id=foo and
index=aws sourcetype=cloudtrail aws_account_id=bar etc
And set up individual alerts for each one and alert when there are NO results.
Pros: not dependent on the time range of the search, if the problem continues beyond the time range of the search, the alert will keep complaining until the problem is resolved
Cons: need to set up a separate alert for each AWS account, including a new one every time we add a new AWS account. If the problem affects multiple accounts, we'll get spammed with separate alerts for each one
Is there a way to get the pros of both of these methods without the cons?
... View more
10-15-2018
03:31 PM
And I think I fixed that last issue by adding a | fields _raw before the | kv ..
... View more
10-15-2018
02:54 PM
Okay actually, I still have a small problem.. when I do this on the test search using makeresults, I have to do the rex and then do | kv to get the Parameters field to use the modified version of _raw. But if I do that rex on a "live" search and then do | kv , I get duplicates of every field..
... View more
10-15-2018
01:57 PM
Okay, I ended up adding this line:
| rex mode=sed "s/Value\": \"\"/Value\": \"empty\"/"
right before all the other commands you suggested, and that fixed the problem related to empty values of "Value". But please let me know if you suggest something different. Thanks again for your help!
... View more
10-15-2018
10:17 AM
This is great! Thank you very much! It works for both of the examples I gave in my original post, so I will mark it as the answer.
I just got another event where one of the parameters has a blank value, and in that case, this doesn't quite work. I'm going to play around with it a bit and see if I can make it work for that case too. If you have any suggestions, I would also appreciate that very much! Here's that example, in the makeresults format you used (I just used one of the existing ones and replaced the "Parameters[]" value, and incremented the "Id" value):
[| makeresults | eval _raw="{\"OrganizationName\": \"example.com\", \"Parameters\": [{\"Value\": \"\", \"Name\": \"DomainController\"}, {\"Value\": \"example.com/Microsoft Exchange Hosted Organizations/example.com/DiscoverySearchMailbox{000000-00000-00000-0000-00000}\", \"Name\": \"Identity\"}, {\"Value\": \"ABC000000.example.com/Microsoft Exchange Hosted Organizations/example.com/Discovery Management\", \"Name\": \"User\"}, {\"Value\": \"FullAccess\", \"Name\": \"AccessRights\"}], \"OrganizationId\": \"012-345-6789\", \"Operation\": \"Get-Something\", \"SessionId\": \"\", \"Workload\": \"Exchange\", \"CreationTime\": \"2018-10-12T22:08:13\", \"UserKey\": \"000011122233334445555\", \"ExternalAccess\": false, \"Version\": 1, \"Id\": \"00000000-0000-0000-0000-0000000003\", \"ObjectId\": \"targetusername\", \"ClientIP\": \"192.168.0.1:12345\", \"UserId\": \"admin@example.com\", \"RecordType\": 1, \"ResultStatus\": \"True\", \"UserType\": 2, \"OriginatingServer\": \"ABCD00000 (00.00.0000.000)\"} "]
The thing that is different in this event is that the "Name":"DomainController" has a "Value":"" (blank). This causes your search to produce AccessRights="" (blank) and User="FullAccess" (which , should be the value of AccessRights).
... View more
10-12-2018
04:51 PM
I'm having trouble extracting key/value pairs from a set of data. I think there are two separate problems that are making this difficult.
The key/value data has redundant descriptors. For example rather than {"foo":"bar"} , the data looks like {"Name":"foo","Value":"bar"} .
The data is sometimes coming in with the value before the key, e.g. {"Value":"bar","Name":"foo"}
Each event also has several of these pairs (I'll include some examples below). I'm looking for a way to consistently extract from this data such that I get a new field (e.g. foo ) with the corresponding value (e.g. bar ) for each key/value pair in each event.
_raw examples (data has been anonymized, but I haven't changed the structure):
Key/Value:
{"OrganizationName": "example.com", "Parameters": [{"Name": "Identity", "Value": "user@example.com"}, {"Name": "AccessRights", "Value": "ReadPermission"}, {"Name": "User", "Value": "Example-Username"}], "OrganizationId": "012-345-6789", "Operation": "Get-Something", "SessionId": "", "Workload": "Exchange", "CreationTime": "2018-10-12T22:08:13", "UserKey": "000011122233334445555", "ExternalAccess": false, "Version": 1, "Id": "00000000-0000-0000-0000-0000000000", "ObjectId": "targetusername", "ClientIP": "192.168.0.1:12345", "UserId": "admin@example.com", "RecordType": 1, "ResultStatus": "True", "UserType": 2, "OriginatingServer": "ABCD00000 (00.00.0000.000)"}
Value/Key:
{"OrganizationName": "example.com", "Parameters": [{"Value": "user@example.com", "Name": "Identity"}, {"Value": "Example-Username", "Name": "User"}, {"Value": "FullAccess", "Name": "AccessRights"}, {"Value": "All", "Name": "InheritanceType"}], "OrganizationId": "012-345-6789", "Operation": "Get-Something", "SessionId": "", "Workload": "Exchange", "CreationTime": "2018-10-12T22:08:13", "UserKey": "000011122233334445555", "ExternalAccess": false, "Version": 1, "Id": "00000000-0000-0000-0000-0000000000", "ObjectId": "targetusername", "ClientIP": "192.168.0.1:12345", "UserId": "admin@example.com", "RecordType": 1, "ResultStatus": "True", "UserType": 2, "OriginatingServer": "ABCD00000 (00.00.0000.000)"}
How can I consistently extract all of the key/value pairs within "Parameters": [] ?
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
01-18-2023
08:28 PM
|
Karma given to
