Hello there, I try to use a custom authentication handler to set a header with a session-ID I get from another REST request. Heres my class in the authhandlers.py class AuthHeader(AuthBase): def __init__(self,**args): self.username = args['username'] self.password = args['password'] self.ip = args['ip'] def __call__(self, r): url = "https://" + self.ip + "/api/endeavour/session" session_json = requests.post(url, verify=False, auth=HTTPBasicAuth(self.username, self.password)) session_json.json()['sessionid'] headers = {'content-type':application/json, 'accept':application/json, 'x-endeavour-sessionid':session_json.json()['sessionid']} r.headers = headers return r And heres my config in the GUI: Somehow this doesnt work and I dont get any events. Can somone help me and find the mistake? Kind regards, mdorobek ... View more

Hello there, I try to import Azure NSG flow Events. To get the data into Splunk I use the Splunk Add-on for Microsoft Cloud (https://splunkbase.splunk.com/app/3110/). Heres a anonymized example of a delivered JSON Object. {"time":"2018-06-06T09:00:09.2874215Z","systemId":"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx","category":"NetworkSecurityGroupFlowEvent","resourceId":"/SUBSCRIPTIONS/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/RESOURCEGROUPS/NETZWERK-NETZWERK-DUT-RG/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/HUBTRUSTED-NETZWERK-DUT-NSG","operationName":"NetworkSecurityGroupFlowEvents","properties":{"Version":1,"flows":[{"rule":"UserRule_AllowAllInBound","flows":[{"mac":"000D3A2DEF83","flowTuples":["1528275561,123.123.123.123,234.234.234.234,40531,2252,T,I,A","1528275571,12.12.12.12,23.23.23.23,39052,2095,T,I,A"]}]}]}}, For more information about the Azure NSG Logs: https://docs.microsoft.com/en-GB/azure/network-watcher/network-watcher-nsg-flow-logging-overview Heres the props.conf I wrote: [mscs:nsg:flow] DATETIME_CONFIG = KV_MODE = json LINE_BREAKER = }}(,) NO_BINARY_CHECK = true SEDCMD-remove_header = s/{\"records\":\[//g TIME_PREFIX = time\":\" TRUNCATE = 0 category = Network & Security disabled = false pulldown_type = true SEDCMD-add_closing_bracket = s/\s$/ }//g SEDCMD-correctly-close = s/]}(?!\S)//g SHOULD_LINEMERGE = true REPORT-tuples = extract_tuple SEDCMD-correctly-begin = s/^"time"/{"time"/g As you can see in the following image this works very well for me. (This is another log then the raw log) To extract the fields I wrote the following transforms.conf: [extract_tuple] REGEX = (?<timestamp>[0-9]{10}),(?<src_ip>[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}),(?<dest_ip>[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}),(?<src_port>[0-9]{1,5}),(?<dest_port>[0-9]{1,5}),(?<protocol>(T|U)),(?<traffic_flow>(I|O)),(?<traffic>(A|D)) MV_ADD = true Heres a example for two extracted fields with this configurration: And heres the problem I need some help. As far as I can see the fields get extracted correctly as multi value fields. But if I try to filter for a value like "dest_ip=234.234.234.234" I will get the four destination IP's "23.23.23.23", too. I guess Splunk shows every event with the minimum of one match. (and all other values of the event, too) Another issue I have got is that searches over 3 or 4 multivalue fields need a lot of time or cant even executed. Is there a better way to extract the fields? Best regards, mdorobek ... View more