Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About mdorobek
mdorobek
Path Finder
Member since:
03-13-2015
02-07-2024
Community Statistics
| Posts | 40 |
| Solutions | 4 |
| Karma Given | 16 |
| Karma Received | 12 |
| Member Since | 03-13-2015 |
Activity Feed
- Got Karma for Re: Specify Fields for Outputlookup or Outputcsv. 02-07-2024 08:55 AM
- Posted Re: Specify Fields for Outputlookup or Outputcsv on Splunk Search. 02-07-2024 12:37 AM
- Posted Re: Before Indexing Filter Based ON JSON format data match on Getting Data In. 06-28-2021 11:02 PM
- Posted Re: Before Indexing Filter Based ON JSON format data match on Getting Data In. 06-28-2021 02:32 AM
- Posted Re: Before Indexing Filter Based ON JSON format data match on Getting Data In. 06-28-2021 12:42 AM
- Got Karma for Re: Before Indexing Filter Based ON JSON format data match. 06-25-2021 04:40 AM
- Posted Re: Before Indexing Filter Based ON JSON format data match on Getting Data In. 06-25-2021 01:47 AM
- Posted Re: Before Indexing Filter Based ON JSON format data match on Getting Data In. 06-24-2021 08:07 AM
- Posted Re: Before Indexing Filter Based ON JSON format data match on Getting Data In. 06-24-2021 05:22 AM
- Posted Re: how can i change column values to field names on Splunk Search. 12-04-2020 02:19 AM
- Posted Re: how can i change column values to field names on Splunk Search. 12-03-2020 11:37 AM
- Got Karma for Re: how can i change column values to field names. 12-03-2020 07:29 AM
- Posted Re: how can i change column values to field names on Splunk Search. 12-03-2020 06:37 AM
- Got Karma for Re: Customize pdf output file. 12-03-2020 01:40 AM
- Posted Re: How can I measure the dashboard load time ? on Dashboards & Visualizations. 08-17-2020 12:03 AM
- Karma Splunk add-on for Microsoft Cloud Services - No handlers could be found for logger "msrestazure.azure_active_directory" for jldgomes. 06-05-2020 12:50 AM
- Karma Re: Can we set two different colors for single-value and trend line in XML? for niketn. 06-05-2020 12:49 AM
- Karma Re: Import Azure NSG LOGs for ejwade. 06-05-2020 12:49 AM
- Got Karma for Can we set two different colors for single-value and trend line in XML?. 06-05-2020 12:49 AM
- Got Karma for How do I import Azure NSG LOGs?. 06-05-2020 12:49 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 1 | |||
| 1 | |||
| 0 | |||
| 1 |
02-07-2024
12:37 AM
1 Karma
| appendpipe [ | fields x y z | outputlookup lookup ]
... View more
06-28-2021
11:02 PM
Hello kagamalai, I already gave you a link to check your regular expression: https://regex101.com/r/sjwTa8/1 Did you restart Splunk after the changes? If it doesn't work, which it should, there is another way. Just run several transforms in a row. Its exactly the same like before. This method is much less efficient because each event must be viewed four times. However, heres the example for the four events you want to keep. props.conf [aws:cloudtrail]
TRANSFORMS-filter_events = sendNull, keepWAFFlags, keepFirewallMatchesActionslog, keepFirewalMatchesActionloglog, keepFirewallMatchesSources transforms.conf [sendNull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[keepWAFFlags]
REGEX = \"WAFFlags\":\"1\"
DEST_KEY = queue
FORMAT = indexQueue [keepFirewallMatchesActionslog] REGEX = \"FirewallMatchesActions\":\[\"log\"\] DEST_KEY = queue FORMAT = indexQueue [keepFirewalMatchesActionloglog] REGEX = \"FirewallMatchesActions\":\[\"log\",\"log\"\] DEST_KEY = queue FORMAT = indexQueue [keepFirewallMatchesSources] REGEX = \"FirewallMatchesSources\":\[\"firewallRules\",\"waf\"\] DEST_KEY = queue FORMAT = indexQueue
... View more
06-28-2021
12:42 AM
Hello kagamalai, you can write an regex with an or condition. Heres an example: (\"WAFFlags\":\"1\"|\"FirewallMatchesActions\":\[\"log\"\]|\"FirewallMatchesActions\":\[\"log\",\"log\"\]|\"FirewallMatchesSources\":\[\"firewallRules\",\"waf\"\]) https://regex101.com/r/sjwTa8/1 Kind regards , mdorobek
... View more
06-25-2021
01:47 AM
1 Karma
Hello kagamalai, this depends on the sourcetype youre useing. I dont know how familiar youre with config files in Splunk. It merges the settings from all copies of the file, using a location-based prioritization scheme. When different copies have conflicting attribute values (that is, when they set the same attribute to different values), it uses the value from the file with the highest priority. More information here: https://docs.splunk.com/Documentation/Splunk/8.2.0/Admin/Wheretofindtheconfigurationfiles Its best practise for prebuild apps that they define the configs in /opt/splunk/etc/<appname>/default/<config> User specific changes should be located in /opt/splunk/etc/<appname>/local/<config> This has two advantages: 1. The configuration in the local folder has priority over the default one 2. If you update the app in future the local folder wont be changed Heres an example. If you use the aws:cloudtrail sourcetype of the aws app you can locate the props.conf under /opt/splunk/etc/apps/Splunk_TA_aws/local/props.conf with the following entry: [aws:cloudtrail]
TRANSFORMS-filter_events = sendNull, keepUnknown According to this the transforms.conf under /opt/splunk/etc/apps/Splunk_TA_aws/local/transforms.conf [sendNull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[keepUnknown]
REGEX = WAFAction\":\"unknown\",\"WAFFlags\":\"0\"
DEST_KEY = queue
FORMAT = indexQueue Note that the REGEX has to match your specific condition. Further your transforms needs a individual name because otherwise it could be overwritten if you have also defined it in another place. Kind regards, mdorobek
... View more
06-24-2021
08:07 AM
Hello kagamalai, when data gets indexed it proceeds through a pipeline where event processing occours. This pipeline consists of several shorter pipelines that are strung together. You can see the pipeline on the picture. If you want further information you can read the following wiki entry: https://wiki.splunk.com/Community:HowIndexingWorks The event breaking and merging happens in the parsing and merging pipeline. Transforms commands are executed in the typing pipeline. This means that a transforms is executed on every event and not on every line and splunk keeps the whole event which matches the regex. Of course this assumes that the event breaking has been configured correctly. Does this clarify your question? kind regards, mdorobek
... View more
06-24-2021
05:22 AM
Hello kagamalai, you can send events based on a regex matching to a specific queue before indexing. To only index some events send all events to the nullqueue and define a regex to send just the ones you want to keep to the indexqueue. Since the transforms are executed from left to right "keepUnknown" overwrites the nullqueue with the indexqueue if the regex matches. Heres a example: props.conf [yourSourcetype]
TRANSFORMS-filter_events = sendNull, keepUnknown transforms.conf [sendNull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[keepUnknown]
REGEX = WAFAction\":\"unknown\",\"WAFFlags\":\"0\"
DEST_KEY = queue
FORMAT = indexQueue If this helps you, you are welcome to accept the answer. Kind regards, mdorobek
... View more
12-04-2020
02:19 AM
Thats exactly what I meant with "However, this might need some further steps if you have multiple combinations of PR2/PR1 and App. " I updated the answer.
... View more
12-03-2020
11:37 AM
Hello, heres the solution after the update: ...
| eval _raw=ENV+"="+LABEL
| extract
| stats values(PR1) as PR1 values(PR2) as PR2 by APP However, this might need some further steps if you have multiple combinations of PR2/PR1 and App. If it doesnt solve your requirements a little more context would help to find the correct solution. Heres a possible solution, but you have to be aware, that this depends on the arrangement of your data and might not give correct results if you have another arrangement. | eval _raw=ENV+"="+LABEL
| extract
| stats values(PR1) as PR1 values(PR2) as PR2 by APP
| eval combined=mvzip(PR1,PR2,"|")
| fields - PR1, PR2
| mvexpand combined
| eval PR1=mvindex(split(combined,"|"),0)
| eval PR2=mvindex(split(combined,"|"),1)
| fields - combined regards, mdorobek
... View more
12-03-2020
06:37 AM
1 Karma
Hello, this might be a quick and dirty solution but it should work: | ... | stats values(LABEL) by ENV | transpose header_field=ENV | eval combine=mvzip(PR1,PR2,"|") | fields combine | mvexpand combine | eval PR1=mvindex(split(combine,"|"), 0) | eval PR2=mvindex(split(combine,"|"), 1) | fields - combine regards, mdorobek
... View more
08-17-2020
12:03 AM
Hello @Learner, at first you need to setup the monitoring console: https://docs.splunk.com/Documentation/Splunk/8.0.5/DMC/DMCoverview If you have a distributed environment heres a guide: https://docs.splunk.com/Documentation/Splunk/8.0.5/DMC/Configureindistributedmode The monitoring console is a Splunk Enterprise monitoring tool. It lets you view detailed topology and performance information about your Splunk Enterprise deployment. The search is taken from the monitoring console. You can find the search performance dashboards at "Search->Activity". The macro is defined in the context of the monitoring console. I hope this helps you.
... View more
07-17-2019
01:39 AM
I just found a solution.
Nevertheless thank you, I received the key by a colleague and didn't know there is a community. I will try it in future if I have another question.
... View more
07-17-2019
01:36 AM
Turns out it was a missing import. I had to import requests.
... View more
07-12-2019
04:19 AM
Hello there,
I try to use a custom authentication handler to set a header with a session-ID I get from another REST request.
Heres my class in the authhandlers.py
class AuthHeader(AuthBase):
def __init__(self,**args):
self.username = args['username']
self.password = args['password']
self.ip = args['ip']
def __call__(self, r):
url = "https://" + self.ip + "/api/endeavour/session"
session_json = requests.post(url, verify=False, auth=HTTPBasicAuth(self.username, self.password))
session_json.json()['sessionid']
headers = {'content-type':application/json, 'accept':application/json, 'x-endeavour-sessionid':session_json.json()['sessionid']}
r.headers = headers
return r
And heres my config in the GUI:
Somehow this doesnt work and I dont get any events. Can somone help me and find the mistake?
Kind regards,
mdorobek
... View more
06-26-2019
05:02 AM
What are you trying to achieve? Do you extract a multivalue field and want to expand it on indextime?
Can you name an example?
... View more
01-17-2019
02:17 AM
I also thought about this approach. The issues I have with this is that I loose the ressourceID and SystemID, don't I?
Is it possible to share youre complete props.conf? Then I can try your solution.
As far as I'm concered im fine with useing the mvexpand on the multi value field I use in my search, but I have nothing agianst better solutions.
... View more
07-19-2018
07:35 AM
Hello there,
I have the issue that there are more events in one JSON-Object. Heres an example:
{
category: NetworkSecurityGroupFlowEvent
operationName: NetworkSecurityGroupFlowEvents
properties: {
Version: 1
flows: [
{
flows: [
{
flowTuples: [
1531920192,11.11.111.111,12.12.122.122,1608,703,U,O,A
1531920222,11.11.111.111,12.12.122.122,14172,703,T,O,A
]
mac: 000A1A111111
}
]
rule: UserRule_AllowSelfOutBound
}
{
flows: [
{
flowTuples: [
1531920192,11.11.111.112,12.12.122.123,14886,703,U,I,A
1531920222,11.11.111.112,12.12.122.123,11717,703,U,I,A
]
mac: 000A1A111111
}
]
rule: UserRule_AllowSelfInBound
}
]
}
resourceId: /SUBSCRIPTIONS/aa11a111-11a1-1111-11a1-aa1111a11aaa /RESOURCEGROUPS/NETZWERK-NETZWERK-PROD-RG/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/HUBNVAHA-NETZWERK-PROD-NSG
systemId: aa11a111-11a1-1111-11a1-aa1111a11aaa
time: 2018-07-18T13:24:10.3603243Z
}
There are more then one flowTuple in one JSON Object which causes Problems at filtering IP's. Is it possible to modify the events at indexing time to have one event for every tuple like the following example?
{
category: NetworkSecurityGroupFlowEvent
operationName: NetworkSecurityGroupFlowEvents
properties: {
Version: 1
flows: [
{
flows: [
{
flowTuples: [
1531920192,11.11.111.111,12.12.122.122,1608,703,U,O,A
]
mac: 000A1A111111
}
]
rule: UserRule_AllowSelfOutBound
}
resourceId: /SUBSCRIPTIONS/aa11a111-11a1-1111-11a1-aa1111a11aaa /RESOURCEGROUPS/NETZWERK-NETZWERK-PROD-RG/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/HUBNVAHA-NETZWERK-PROD-NSG
systemId: aa11a111-11a1-1111-11a1-aa1111a11aaa
time: 2018-07-18T13:24:10.3603243Z
}
{
category: NetworkSecurityGroupFlowEvent
operationName: NetworkSecurityGroupFlowEvents
properties: {
Version: 1
flows: [
{
flows: [
{
flowTuples: [
1531920222,11.11.111.111,12.12.122.122,14172,703,T,O,A
]
mac: 000A1A111111
}
]
rule: UserRule_AllowSelfOutBound
}
resourceId: /SUBSCRIPTIONS/aa11a111-11a1-1111-11a1-aa1111a11aaa /RESOURCEGROUPS/NETZWERK-NETZWERK-PROD-RG/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/HUBNVAHA-NETZWERK-PROD-NSG
systemId: aa11a111-11a1-1111-11a1-aa1111a11aaa
time: 2018-07-18T13:24:10.3603243Z
}
and so on..
I did ask a similar question on splunk answers which provides more information. Since noone could give me an answer I try to ask the question differently.
Kind regards
mdorobek
... View more
06-20-2018
01:22 AM
Even with using TERM() I still have the exact same issue as before. I don't think this is the right answer.
Do you need any further information?
... View more
06-19-2018
01:03 AM
1 Karma
Hello there,
I try to import Azure NSG flow Events. To get the data into Splunk I use the Splunk Add-on for Microsoft Cloud (https://splunkbase.splunk.com/app/3110/). Heres a anonymized example of a delivered JSON Object.
{"time":"2018-06-06T09:00:09.2874215Z","systemId":"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx","category":"NetworkSecurityGroupFlowEvent","resourceId":"/SUBSCRIPTIONS/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/RESOURCEGROUPS/NETZWERK-NETZWERK-DUT-RG/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/HUBTRUSTED-NETZWERK-DUT-NSG","operationName":"NetworkSecurityGroupFlowEvents","properties":{"Version":1,"flows":[{"rule":"UserRule_AllowAllInBound","flows":[{"mac":"000D3A2DEF83","flowTuples":["1528275561,123.123.123.123,234.234.234.234,40531,2252,T,I,A","1528275571,12.12.12.12,23.23.23.23,39052,2095,T,I,A"]}]}]}},
For more information about the Azure NSG Logs: https://docs.microsoft.com/en-GB/azure/network-watcher/network-watcher-nsg-flow-logging-overview
Heres the props.conf I wrote:
[mscs:nsg:flow]
DATETIME_CONFIG =
KV_MODE = json
LINE_BREAKER = }}(,)
NO_BINARY_CHECK = true
SEDCMD-remove_header = s/{\"records\":\[//g
TIME_PREFIX = time\":\"
TRUNCATE = 0
category = Network & Security
disabled = false
pulldown_type = true
SEDCMD-add_closing_bracket = s/\s$/ }//g
SEDCMD-correctly-close = s/]}(?!\S)//g
SHOULD_LINEMERGE = true
REPORT-tuples = extract_tuple
SEDCMD-correctly-begin = s/^"time"/{"time"/g
As you can see in the following image this works very well for me. (This is another log then the raw log)
To extract the fields I wrote the following transforms.conf:
[extract_tuple]
REGEX = (?<timestamp>[0-9]{10}),(?<src_ip>[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}),(?<dest_ip>[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}),(?<src_port>[0-9]{1,5}),(?<dest_port>[0-9]{1,5}),(?<protocol>(T|U)),(?<traffic_flow>(I|O)),(?<traffic>(A|D))
MV_ADD = true
Heres a example for two extracted fields with this configurration:
And heres the problem I need some help. As far as I can see the fields get extracted correctly as multi value fields. But if I try to filter for a value like "dest_ip=234.234.234.234" I will get the four destination IP's "23.23.23.23", too. I guess Splunk shows every event with the minimum of one match. (and all other values of the event, too)
Another issue I have got is that searches over 3 or 4 multivalue fields need a lot of time or cant even executed.
Is there a better way to extract the fields?
Best regards, mdorobek
... View more
Labels
- Labels:
-
other
03-16-2018
05:49 AM
Heres an example by using the coropleth map, I hope this helps:
index=foo
| eventstats count as total
| iplocation src_ip
| stats count by Country, total
| eval percentage=round((count/total)*100, 2)
| fields Country, percentage
| eval percentage=case(percentage<10,"<10%",percentage<20,"10-20%", percentage<30,"20-30%", percentage<40,"30-40%", percentage<50,"40-50%", percentage<60,"50-60%", percentage<70,"60-70%", percentage<80,"70-80%", percentage<80,"80-90%", percentage<100,"90-100%")
| geom geo_countries featureIdField=Country
... View more
10-23-2017
10:35 PM
@niketnilay Theres no need to say sorry, I am more than pleased with youre answer. Atleast i can screenshot the panels and use them in some presentations 🙂
... View more
10-23-2017
03:35 AM
@niketnilay the answer works perfectly. Sadly it doesn't work for scheduled pdf delivery.
... View more
10-18-2017
10:02 PM
Hello DalJeanis,
I have read the documentation and I am aware that colorby is a binary option. Yet I have the hope that someone knows an existing workaround.
If there is no other answer in a few days, I'll accept the answer and close the question.
... View more
10-18-2017
12:56 AM
I did add a picture. I hope this helps.
... View more
10-17-2017
01:57 AM
1 Karma
A single value in Splunk has the following simple xml code:
<single>
<search>
<query></query>
<earliest></earliest>
<latest></latest>
</search>
<option name="colorBy">trend</option>
<option name="colorMode">none</option>
<option name="drilldown">none</option>
<option name="height">150</option>
<option name="numberPrecision">0</option>
<option name="rangeColors">["0x65a637","0x6db7c6","0xf7bc38","0xf58f39","0xd93f3c"]</option>
<option name="rangeValues">[0,30,70,100]</option>
<option name="showSparkline">1</option>
<option name="showTrendIndicator">1</option>
<option name="trendColorInterpretation">inverse</option>
<option name="trendDisplayMode">absolute</option>
<option name="trendInterval">-1mon</option>
<option name="underLabel"></option>
<option name="unitPosition">after</option>
<option name="useColors">1</option>
<option name="useThousandSeparators">1</option>
</single>
The option "colorBy" allows the values "trend" and "value".
The left image is an example for the color by value, the right one for a panel with the color by trend:
I would like to have both options enabled in my panel. Is there a possibility in simple xml to set the color of the single value and the trend seperated in one panel?
Thanks!
... View more
