Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About mayurr98
mayurr98
Super Champion
Member since:
05-26-2016
05-04-2023
Community Statistics
| Posts | 1419 |
| Solutions | 272 |
| Karma Given | 43 |
| Karma Received | 409 |
| Member Since | 05-26-2016 |
Activity Feed
- Got Karma for Re: How to overwrite the host field value with dvc field value ?. 10-04-2023 06:52 AM
- Got Karma for Re: what actually dnslookup doing in my query? and what is it?. 09-26-2023 06:18 AM
- Got Karma for Re: Easiest way to exclude ingestion of events for a specific IP address from a SourceType. 09-21-2023 04:52 PM
- Got Karma for Re: Easiest way to exclude ingestion of events for a specific IP address from a SourceType. 09-21-2023 04:52 PM
- Got Karma for Re: Easiest way to exclude ingestion of events for a specific IP address from a SourceType. 09-21-2023 04:51 PM
- Got Karma for Re: JSON format - Duplicate value in field. 07-06-2023 06:17 AM
- Got Karma for Re: How to extract the value before a specific character using regex or rex?. 06-29-2023 07:36 AM
- Got Karma for Re: How to convert seconds to [h]:mm:ss?. 06-02-2023 05:32 AM
- Got Karma for Re: Case insensitive search in rex. 05-26-2023 08:52 PM
- Posted How to avoid comma separated delimiter being escaped by backslash in an event? on Knowledge Management. 05-04-2023 08:01 AM
- Got Karma for Re: stats vs eventstats. 05-02-2023 07:05 AM
- Got Karma for Re: Dashboard to query optional fields. 04-04-2023 12:15 AM
- Got Karma for Re: Alert if data not received to an index for 1 hour. 03-24-2023 07:55 AM
- Got Karma for Re: stats vs eventstats. 01-10-2023 08:13 AM
- Got Karma for Re: Summary index limits events to 50000. 11-08-2022 03:19 AM
- Got Karma for Re: Setting phoneHomeIntervalInSecs. 11-07-2022 08:37 AM
- Got Karma for Re: Where do I start with troubleshooting Parsing Queue issues on a UF?. 10-31-2022 02:10 AM
- Got Karma for Re: Fields Extraction from raw events with regex. 10-28-2022 01:11 PM
- Got Karma for Re: stats vs eventstats. 10-18-2022 03:02 AM
- Got Karma for Re: Using Timewrap to compare yesterday to today per hour. 09-15-2022 08:20 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 1 | |||
| 6 |
05-04-2023
08:01 AM
Hello Splunkers,
I have an event like this:
blocked,Adware,ABCD,test.exe,\\program_files\c\Drivers\,,,Generic PUA JB,,Endpoint Protection
I am extracting fields using comma separator delimiter, so my props.conf and transform.conf is:
transforms.conf
[cs_srctype]
CLEAN_KEYS = 0
DELIMS = ,
FIELDS = action,category,dest,file_name,file_path,severity,severity_id,signature,signature_id,vendor_product
props.conf
[cs_srctype]
KV_MODE = none
REPORT-cs_srctype = cs_srctype
Now the output that I am getting is :
file_path = \\program_files\c\Drivers\,
severity=
severity_id= Generic PUA GB
signature=
signature_id= Endpoint Protection
vendor_product=
All the fields before file_path are getting extracted properly and after file_path are incorrect because it's adding comma and thus not separating properly. how do I ignore the \, and extract the fields properly.
Thank you in advance
... View more
Labels
- Labels:
-
field extraction
06-09-2022
12:22 PM
1 Karma
hello, what are you trying to achieve? Could you please give us input and expected output in tabular format. Isn't it should be | eval hours=if(day="Mon",hours+2,hours)
... View more
06-08-2022
11:47 AM
The SEDCMD script applies only to the _raw field at index time. With the regular expression transform, you can apply changes to other fields https://docs.splunk.com/Documentation/Splunk/latest/Data/Anonymizedata?_gl=1*16ogb9v*_ga*MTA1MzM4MzA5NS4xNjQ2NDE5MTg2*_gid*MTQyMDA2ODcwNS4xNjU0NzA0NTg4&_ga=2.135579313.1420068705.1654704588-1053383095.1646419186#Caveats_for_anonymizing_data you can try using evaluation functions as well | makeresults
| eval _raw="Process Create:true
Utc Time: 2022-04-28 22:08:22.025
Process Guid: {XYZ-bd56-5903-0000-0010e9d95e00}
Process Id: 6228
Image: chrome.exe
Command Line: test"
| rex field=_raw max_match=0 "(?<field>[a-zA-Z ]+):(?<value>.+)"
| mvexpand field
| eval field1=replace(field,"\s","_") see if you can use calculated fields if its not a multivalue field.
... View more
06-08-2022
10:37 AM
Hello, you can achieve this using SEDCMD Scripts https://docs.splunk.com/Documentation/Splunk/8.2.6/Data/Anonymizedata#Example_of_substitution_using_a_sed.2FSEDCMD_script Transforms.conf must be used for the extracted field, and SEDCMD for _raw. See here for details. way at the bottom. https://answers.splunk.com/answers/739964/need-sedcmd-help.html
... View more
04-12-2022
12:21 PM
Look at the splunk documentation whats new and fixed issues. https://docs.splunk.com/Documentation/Splunk/8.2.4/ReleaseNotes/MeetSplunk#What.27s_New_in_8.2.4 https://docs.splunk.com/Documentation/Splunk/8.2.6/ReleaseNotes/MeetSplunk#What.27s_New_in_8.2.6 Should not be a major difference.
... View more
04-12-2022
09:43 AM
you have to try something like this to make it work with lookups https://community.splunk.com/t5/Splunk-Search/Using-CIDR-in-a-lookup-table/m-p/35787 like/accept if it works for you!
... View more
04-11-2022
09:52 PM
1 Karma
Put below in props.conf props.conf
[ssc_cloakware]
REPORT-extractions = field_extractions
EXTRACT-server = Server\s*:\s*(?<Server>[^\,]+) This is search time field extraction so make sure you write this regex in SH. OR simply go to search head: Settings » Fields » Field Extractions » Add new Destination App: <Choose appropriate app>
Name: Server
Apply to: Sourcetype: <sourcetype_name>
Extraction/Transform: Server\s*:\s*(?<Server>[^\,]+) Please upvote/accept to close this question if it works for you.
... View more
04-08-2022
07:58 AM
Hi for the search to work you would have to write this : <your base search>
| extract kvdelim=":" pairdelim=","
| rex "Server\s*:\s*(?<Server>[^\,]+)" props.conf and transforms.conf is best to put on the heavy forwarder if you have one or the indexing layer. The regex that I provided is for transforms only and it works well for all the events that you have given. https://regex101.com/r/0rdToo/1 use below configuration on HF or Indexers. props.conf
[ssc_cloakware]
REPORT-extractions = field_extractions
transforms.conf
[field_extractions]
REGEX = \s([^\:]+)\:\s+([^\,]+)
FORMAT = $1::$2 Restart the instance after editing the configuration. I am gonna test this configuration on my lab instance. meanwhile you do the same.
... View more
04-08-2022
06:38 AM
could you please give me below details: 1) please share more sample raw events 2) share the props and transforms that you have wrote 3) where did you write the props and transforms? 4) have you restarted splunk instance after updating props and transforms ?
... View more
04-07-2022
01:35 PM
can you share your query with few examples?
... View more
04-07-2022
01:32 PM
Well thats what "type=left" will do, it will give you results from the main search as well as the matching results from the subsearch. The above example is not matching your computerName is different, for subsearch it's PC44 and for main search it's 4GV that's why you see date,src and uri field blank in the result. Look for the one's where computerName is matching and there you should see all the fields.
... View more
04-07-2022
01:28 PM
best to use "\s*" instead of "\s" if you are not sure if there will be a space is future events or not.
... View more
04-07-2022
01:18 PM
could you please share more sample events as I do not see any error in your search. I have tried in this run anywhere search | makeresults
| eval _raw="store license for Store 123456
2022-04-07 19:17:44,360 ERROR path not found"
| rex field=_raw "Store\s123456\n\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\,\d{3}\s(?P<errortext>.*)path"
| stats count by errortext From the regex I could see that you are searching for "Store 123456", please add that in the main search instead of in regex. index=* host="storelog*" "store license for Store 123456" Also is it a multiline event? that means is timestamp is on new line in raw logs or its just one line?
... View more
04-07-2022
12:48 PM
Not sure if this is what you are looking for below search will give you results from the main search as well as matching results from the subsearch: if you are just interested in matching results then change type=inner index="wineventlog" source="WinEventLog:Application"
| dedup ComputerName, ownerEmail, ownerFull, ownerName, ownerDept
| stats values(ownerEmail) as ownerEmail,values(ownerFull) as ownerFull, values(ownerName) ownerName, values(ownerDept) as ownerDept by ComputerName
| join type=left ComputerName
[ search index=traffic_log src="*" uri="*" site="friendly.org"
| eval date = date_month + "/" + date_mday + "/" + date_wday + "/" + date_year
| mvexpand date
| dedup src, uri
| lookup dnslookup clientip as src OUTPUT clienthost as ComputerName
| where like (ComputerName,"p%")
| dedup ComputerName
| stats values(src) as src, values(uri) as uri, values(date) as date by ComputerName]
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
05-04-2023
06:36 PM
|
Karma given to
