Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About att35
att35
Builder
Member since:
08-30-2013
Saturday
Community Statistics
| Posts | 179 |
| Solutions | 8 |
| Karma Given | 29 |
| Karma Received | 24 |
| Member Since | 08-30-2013 |
Activity Feed
- Posted Re: Why is regex working in search but not when used from props/transforms? on Splunk Search. Saturday
- Posted Re: regex working in search but not when used from props/transforms on Splunk Search. Saturday
- Posted Re: regex working in search but not when used from props/transforms on Splunk Search. Saturday
- Posted Re: regex working in search but not when used from props/transforms on Splunk Search. Friday
- Posted Re: regex working in search but not when used from props/transforms on Splunk Search. Friday
- Posted Why is regex working in search but not when used from props/transforms? on Splunk Search. Friday
- Posted Is file_hash field mapping missing for Splunk Add-on for Sysmon? on All Apps and Add-ons. 3 weeks ago
- Got Karma for Re: Splunk web stuck at Loading page... 10-12-2022 11:47 AM
- Got Karma for Re: Splunk web stuck at Loading page... 10-03-2022 11:15 AM
- Posted Linux Auditd - Version mismatch between Github and Splunkbase on All Apps and Add-ons. 09-06-2022 05:55 AM
- Posted How to find first connect time/version of a universal Forwarder? on Monitoring Splunk. 12-06-2021 05:33 AM
- Posted Why does tstats works different for root event datasets within the same data model on Splunk Search. 09-09-2021 05:05 AM
- Posted tstats unable to get any results when specifying dataset in FROM clause on Splunk Search. 08-29-2021 10:10 AM
- Posted Re: How can we use predict command with tstats? on Splunk Search. 08-18-2021 05:30 AM
- Posted Re: How can we use predict command with tstats? on Splunk Search. 08-17-2021 07:09 PM
- Posted How can we use predict command with tstats? on Splunk Search. 08-17-2021 12:25 PM
- Posted ES Threat Intel unable to capture hash values from csv upload on Splunk Enterprise Security. 07-30-2021 07:21 AM
- Posted Re: How to extract values for specific token from pipe delimited log on Getting Data In. 07-21-2021 06:02 AM
- Karma Re: How to extract values for specific token from pipe delimited log for venkatasri. 07-21-2021 06:02 AM
- Posted How to extract values for specific token from pipe delimited log on Getting Data In. 07-20-2021 05:32 AM
Saturday
Yes. That solution worked perfectly. It stopped at the newline and extracted only the characters before that.
... View more
Saturday
It did start the match for message but did not stop at the newline. It continues all the way till end of the event.
... View more
Friday
What I am trying to extract is the highlighted part. If I change that regex to (?m).*message=(?<Msg>.+) it works, but when used in props behavior is still the same. So basically, I only want to extract the message string before the Java stack trace starts.
... View more
Friday
Thanks @gcusello I tried this with EXTRACT. Renaming the extracted field for comparison. When I used it with quotes, nothing gets extracted. No Msg field EXTRACT-fullmessage = "(?ms).*message=(?<Msg>.+)" And when I try without the quotes, extraction works but it does the same thing as before. Entire event from message onwards gets included. EXTRACT-fullmessage = (?ms).*message=(?<Msg>.+)
... View more
Friday
We have some logs coming in the following format.
ERROR | 2023-03-16 01:27:14 EDT | field1=field1_value | field2=field2_value | field3=field3_value | field4=field4_value | field5=field5_value | field6=field6_value | field7={} | message=Message String with spaces.
java.stacktrace.Exception: Exception Details.
at ...
at ...
at ...
at ...
Splunk's default extraction works well in getting all key=value pairs, except for the field "message" where only first word before the space is extracted and drops the rest.
To get around this, I used the following inline regex.
| rex field=_raw "message=(?<message>.+)"
This works well in search and extracts the entire message string right until the newline. But when I used the same regex in the configuration file, it seems to be ignoring the newline and continues to match everything else all the way until end of the event. Have tried using EXTRACT as well as REPORT(using transforms.conf) but same result.
Do props.conf/transforms.conf interpret regex differently?
To summarize,
default Splunk extraction,
message = Message
with inline rex
message = Message String with spaces.
with regex in props/transforms,
message = Message String with spaces.
java.stacktrace.Exception: Exception Details.
at ...
at ...
at ...
at ...
Any suggestions on how to use this regex from configuration?
Thank you,
... View more
Labels
- Labels:
-
field extraction
-
regex
-
rex
3 weeks ago
While reviewing Sysmon events within Endpoint Datamodel, noticed that file_hash information is not available within Filesystem dataset and the field just reads "unknown". It looks like in the latest Sysmon TA (https://splunkbase.splunk.com/app/5709), alias for file_hash is missing, which is the field required by Endpoint datamodel. Mapping this with one of the extract hash fields(SHA1, SHA256 etc) should be relatively straightforward but wanted to check with the community first in case I am missing something obvious here. Thank you, ~ Abhi
... View more
Labels
- Labels:
-
configuration
09-06-2022
05:55 AM
Hi, I was looking at the latest version for Linux Auditd App & Add-on. Both are listed as 3.1.2 at the source https://github.com/doksu/splunk_auditd but only Add-on shows latest version on Splunkbase. App is still at 3.1.0. https://splunkbase.splunk.com/app/4232 - Add-on - Version 3.1.2 https://splunkbase.splunk.com/app/2642 - App - Version 3.1.0 Should I be downloading App directly from Github? Thanks
... View more
Labels
- Labels:
-
installation
12-06-2021
05:33 AM
Hi, I am looking for a way to track when a new Splunk Forwarder connects along with the version. Was hoping to find some relevant field on Deployment Server (/services/deployment/server/clients) but I could only see lastPhoneHomeTime, nothing for when it first connected to the system. Is it possible to get this information, either from Deployment Server or Forwarder's internal logs? Thanks, ~ Abhi
... View more
Labels
- Labels:
-
forwarder management
09-09-2021
05:05 AM
Hi. I have a data model that consists of two root event datasets. Both accelerated using simple SPL. First dataset I can access using the following | tstats summariesonly=t count FROM datamodel=model_name
where nodename=dataset_1 by dataset_1.FieldName But for the 2nd root event dataset, same format doesn't work. For that, I get events only by referencing the dataset along with the datamodel. | tstats summariesonly=t count FROM datamodel=model_name.dataset_2
by dataset_2.FieldName e.g., the following will not work. | tstats summariesonly=t count FROM datamodel=model_name
where nodename=dataset_2 by dataset_2.FieldName I am trying to understand what causes splunk search to work differently on these datasets when both are at the same level? Thanks, ~ Abhi
... View more
Labels
- Labels:
-
tstats
08-29-2021
10:10 AM
Hi, We are in the process of migrating all Apps/Config's from an older standalone instance(7.2.4.2) to a newer SHC(8.1.1). A datamodel was also migrated along with the App and appears to be working fine in terms of acceleration statistics. But when I try to access using tstats, format that worked previously returns nothing. | tstats summariesonly=t count FROM datamodel="modelname.dataset" by dataset.field But if I do not mention dataset in the FROM cause, it works just fine. | tstats summariesonly=t count FROM datamodel="modelname" by dataset.field Could I have missed something during the migration? What could be causing the previous command to not work.
... View more
Labels
- Labels:
-
tstats
08-18-2021
05:30 AM
@ITWhisperer Same result. command="predict", Unknown field: count With timechart everything works fine, it plots using dataset.field or even with "field" after rename. But predict doesn't seem to be taking any option as input. Only way predict works here is if I use direct value of the field. | predict value
... View more
08-17-2021
07:09 PM
Hi @richgalloway , Tried that but now it just gives same error message for field. command="predict", Unknown field: field
... View more
08-17-2021
12:25 PM
Hi, I have the following search that works against a datamodel to plot a timechart. How can I use predict command with this output? | tstats summariesonly=true count FROM datamodel="modelname.dataset" where dataset.field="xyz" by dataset.field, _time span=1h prestats=t | timechart span=1h count by dataset.field usenull=f useother=f If I try to do following, | predict dataset.field search failed with this error. command="predict", Unknown field: dataset.field What is the correct way to do this? UPDATE: Turns out, | predict "xyz" works, but this would mean it is working just for that one value of the field. Thanks
... View more
07-30-2021
07:21 AM
Hi, I am trying to upload a custom CSV for Threat Intel within ES. It's a collection of multiples types of IOC's, (domain, url, hash etc) and is in the following column format. There are 343 Hash values, 20 domains and 8 URL's. Upload goes without any issues and ES collects domains and URL's right away. But Hash values seem to be ignored. Here are the file details under Threat Artifacts. When I check Threat Intel Audit, it seems to be writing to File Intel as well but hash count never gets populated in ES. What could be going wrong here? Splunk version: 8.1.1 ES Version: 6.4.0 Thanks, ~ Abhi
... View more
Labels
07-21-2021
06:02 AM
@venkatasri Thank you. Regex was able to extract both parts but I noticed that since there were several - characters within signature_1, it was splitting the string way before the actual - that separates the two. Since both strings are also separated by white spaces, I was able to get around that using following: "^\w+\s+\|\s+\d+-\d+-\d+\s+\d+:\d+:\d+\s+\w+\s+\|\s+\w+\s+=\s+.+?\|\s+\w+\s+=\s+.+?\|(?<signature_1>.+?)\s\-\s(?<signature_2>.+?)\|"
... View more
07-20-2021
05:32 AM
Hi, I have some application logs in the following format: ERROR | 2021-07-20 06:55:54 EDT | Field1 = Value1 | Field2 = Value2 | Long Error String - Another long error string | Field3 = Value3 | ... | ... Most of the tokens are in Field=Value format and Splunk is able to extract them just fine except the portion where there is no Field listed. Just two different error strings separated by a " - ". (These strings may contain other special characters as part of the error) Is there a way I can extract both of them separately, e.g. signature_1, signature_2 without disturbing rest of the extractions? I would prefer doing this with props/transforms. I was thinking of using "DELIMS" option but not sure how to target just that particular part of the log.
... View more
Labels
05-05-2021
07:43 AM
Hi all, We have few Custom CSV lookups that have been added to ES for Threat Intel. For the existing data, we can lookup the artifacts and confirm that those are present in ES but when adding new data to those lookups and reducing the "interval" option in Threat Intel Management, they still do not get added to ES. Current setting for the data sources is 43200 seconds (12 hrs) but even after reducing it to few minutes the new entries never make it to ES. In Threat Intel Audit I do see the intel download time change but that doesn't seem to be making any difference. Is there a way to manually force ES to re-read and add updated entries from the lookup? Thanks, ~ Abhi
... View more
- Tags:
- csv
- es
- threatintel
Labels
- Labels:
-
using Enterprise Security
02-08-2021
10:06 AM
Hi, I am testing this Add-on to retrieve data from REST API. Connection is good and it pulls the data but every event gets truncated around the same line. Also the response doesn't seem end properly(a complete page where next can be requested). It seems as if a limit has been reached. I changed the Add-on logging level to DEBUG but do not see any error messages. Is there anything else I can check? Splunk Version - 7.2.4.2 Add-on Version - 1.9.8 Thanks, ~ Abhi
... View more
Labels
- Labels:
-
troubleshooting
01-19-2021
07:02 PM
Hi, We have a use-case where responses(host_addr) returned from DNS queries are passed through AbuseIPDB API to check for any potential matches. Since the API has a set limit we dont want to query an IP more than once. To achieve this, stats is used to get distinct values and then it is passed through the API. It works well but due to the use of "stats", we lose all the other crucial fields from the original data, e.g. src_ip, query etc. Here's a sample query: <Base Search> | stats count by host_addr | table host_addr | abuseip ipfield=host_addr | sort - AbuseConfidence Could eventstats come to the rescue here? If so, what could be a potential syntax of that search? From the other examples I saw, eventstats sees to be more useful when performing a actual stats function like sum etc. End goal is to create something like | table src_ip, query, host_addr, LastReportedAt, AbuseConfidence but also keeping API limits in check(Using only unique values of host_addr). Any pointers on this will be appreciated. Thanks, ~ Abhi
... View more
- Tags:
- eventstats
- stats
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
Saturday
|
