About mdorobek

mdorobek · ‎02-07-2024

| appendpipe [ | fields x y z | outputlookup lookup ]

mdorobek · ‎06-28-2021

Hello kagamalai, I already gave you a link to check your regular expression: https://regex101.com/r/sjwTa8/1 Did you restart Splunk after the changes? If it doesn't work, which it should, there is another way. Just run several transforms in a row. Its exactly the same like before. This method is much less efficient because each event must be viewed four times. However, heres the example for the four events you want to keep. props.conf [aws:cloudtrail] TRANSFORMS-filter_events = sendNull, keepWAFFlags, keepFirewallMatchesActionslog, keepFirewalMatchesActionloglog, keepFirewallMatchesSources transforms.conf [sendNull] REGEX = . DEST_KEY = queue FORMAT = nullQueue [keepWAFFlags] REGEX = \"WAFFlags\":\"1\" DEST_KEY = queue FORMAT = indexQueue [keepFirewallMatchesActionslog] REGEX = \"FirewallMatchesActions\":\[\"log\"\] DEST_KEY = queue FORMAT = indexQueue [keepFirewalMatchesActionloglog] REGEX = \"FirewallMatchesActions\":\[\"log\",\"log\"\] DEST_KEY = queue FORMAT = indexQueue [keepFirewallMatchesSources] REGEX = \"FirewallMatchesSources\":\[\"firewallRules\",\"waf\"\] DEST_KEY = queue FORMAT = indexQueue

mdorobek · ‎06-28-2021

Yes

mdorobek · ‎06-28-2021

Hello kagamalai, you can write an regex with an or condition. Heres an example: (\"WAFFlags\":\"1\"|\"FirewallMatchesActions\":\[\"log\"\]|\"FirewallMatchesActions\":\[\"log\",\"log\"\]|\"FirewallMatchesSources\":\[\"firewallRules\",\"waf\"\]) https://regex101.com/r/sjwTa8/1 Kind regards , mdorobek

mdorobek · ‎06-25-2021

Hello kagamalai, this depends on the sourcetype youre useing. I dont know how familiar youre with config files in Splunk. It merges the settings from all copies of the file, using a location-based prioritization scheme. When different copies have conflicting attribute values (that is, when they set the same attribute to different values), it uses the value from the file with the highest priority. More information here: https://docs.splunk.com/Documentation/Splunk/8.2.0/Admin/Wheretofindtheconfigurationfiles Its best practise for prebuild apps that they define the configs in /opt/splunk/etc/<appname>/default/<config> User specific changes should be located in /opt/splunk/etc/<appname>/local/<config> This has two advantages: 1. The configuration in the local folder has priority over the default one 2. If you update the app in future the local folder wont be changed Heres an example. If you use the aws:cloudtrail sourcetype of the aws app you can locate the props.conf under /opt/splunk/etc/apps/Splunk_TA_aws/local/props.conf with the following entry: [aws:cloudtrail] TRANSFORMS-filter_events = sendNull, keepUnknown According to this the transforms.conf under /opt/splunk/etc/apps/Splunk_TA_aws/local/transforms.conf [sendNull] REGEX = . DEST_KEY = queue FORMAT = nullQueue [keepUnknown] REGEX = WAFAction\":\"unknown\",\"WAFFlags\":\"0\" DEST_KEY = queue FORMAT = indexQueue Note that the REGEX has to match your specific condition. Further your transforms needs a individual name because otherwise it could be overwritten if you have also defined it in another place. Kind regards, mdorobek

mdorobek · ‎06-24-2021

Hello kagamalai, when data gets indexed it proceeds through a pipeline where event processing occours. This pipeline consists of several shorter pipelines that are strung together. You can see the pipeline on the picture. If you want further information you can read the following wiki entry: https://wiki.splunk.com/Community:HowIndexingWorks The event breaking and merging happens in the parsing and merging pipeline. Transforms commands are executed in the typing pipeline. This means that a transforms is executed on every event and not on every line and splunk keeps the whole event which matches the regex. Of course this assumes that the event breaking has been configured correctly. Does this clarify your question? kind regards, mdorobek

mdorobek · ‎06-24-2021

Hello kagamalai, you can send events based on a regex matching to a specific queue before indexing. To only index some events send all events to the nullqueue and define a regex to send just the ones you want to keep to the indexqueue. Since the transforms are executed from left to right "keepUnknown" overwrites the nullqueue with the indexqueue if the regex matches. Heres a example: props.conf [yourSourcetype] TRANSFORMS-filter_events = sendNull, keepUnknown transforms.conf [sendNull] REGEX = . DEST_KEY = queue FORMAT = nullQueue [keepUnknown] REGEX = WAFAction\":\"unknown\",\"WAFFlags\":\"0\" DEST_KEY = queue FORMAT = indexQueue If this helps you, you are welcome to accept the answer. Kind regards, mdorobek

mdorobek · ‎12-04-2020

Thats exactly what I meant with "However, this might need some further steps if you have multiple combinations of PR2/PR1 and App. " I updated the answer.

mdorobek · ‎12-03-2020

Hello, heres the solution after the update: ... | eval _raw=ENV+"="+LABEL | extract | stats values(PR1) as PR1 values(PR2) as PR2 by APP However, this might need some further steps if you have multiple combinations of PR2/PR1 and App. If it doesnt solve your requirements a little more context would help to find the correct solution. Heres a possible solution, but you have to be aware, that this depends on the arrangement of your data and might not give correct results if you have another arrangement. | eval _raw=ENV+"="+LABEL | extract | stats values(PR1) as PR1 values(PR2) as PR2 by APP | eval combined=mvzip(PR1,PR2,"|") | fields - PR1, PR2 | mvexpand combined | eval PR1=mvindex(split(combined,"|"),0) | eval PR2=mvindex(split(combined,"|"),1) | fields - combined regards, mdorobek

mdorobek · ‎12-03-2020

mdorobek · ‎08-17-2020

Hello @Learner, at first you need to setup the monitoring console: https://docs.splunk.com/Documentation/Splunk/8.0.5/DMC/DMCoverview If you have a distributed environment heres a guide: https://docs.splunk.com/Documentation/Splunk/8.0.5/DMC/Configureindistributedmode The monitoring console is a Splunk Enterprise monitoring tool. It lets you view detailed topology and performance information about your Splunk Enterprise deployment. The search is taken from the monitoring console. You can find the search performance dashboards at "Search->Activity". The macro is defined in the context of the monitoring console. I hope this helps you.

mdorobek · ‎07-17-2019

I just found a solution. Nevertheless thank you, I received the key by a colleague and didn't know there is a community. I will try it in future if I have another question.

mdorobek · ‎07-17-2019

Turns out it was a missing import. I had to import requests.

mdorobek · ‎07-12-2019

Hello there, I try to use a custom authentication handler to set a header with a session-ID I get from another REST request. Heres my class in the authhandlers.py class AuthHeader(AuthBase): def __init__(self,**args): self.username = args['username'] self.password = args['password'] self.ip = args['ip'] def __call__(self, r): url = "https://" + self.ip + "/api/endeavour/session" session_json = requests.post(url, verify=False, auth=HTTPBasicAuth(self.username, self.password)) session_json.json()['sessionid'] headers = {'content-type':application/json, 'accept':application/json, 'x-endeavour-sessionid':session_json.json()['sessionid']} r.headers = headers return r And heres my config in the GUI: Somehow this doesnt work and I dont get any events. Can somone help me and find the mistake? Kind regards, mdorobek

mdorobek · ‎06-26-2019

What are you trying to achieve? Do you extract a multivalue field and want to expand it on indextime? Can you name an example?

mdorobek · ‎01-17-2019

I also thought about this approach. The issues I have with this is that I loose the ressourceID and SystemID, don't I? Is it possible to share youre complete props.conf? Then I can try your solution. As far as I'm concered im fine with useing the mvexpand on the multi value field I use in my search, but I have nothing agianst better solutions.

mdorobek · ‎07-19-2018

Hello there, I have the issue that there are more events in one JSON-Object. Heres an example: { category: NetworkSecurityGroupFlowEvent operationName: NetworkSecurityGroupFlowEvents properties: { Version: 1 flows: [ { flows: [ { flowTuples: [ 1531920192,11.11.111.111,12.12.122.122,1608,703,U,O,A 1531920222,11.11.111.111,12.12.122.122,14172,703,T,O,A ] mac: 000A1A111111 } ] rule: UserRule_AllowSelfOutBound } { flows: [ { flowTuples: [ 1531920192,11.11.111.112,12.12.122.123,14886,703,U,I,A 1531920222,11.11.111.112,12.12.122.123,11717,703,U,I,A ] mac: 000A1A111111 } ] rule: UserRule_AllowSelfInBound } ] } resourceId: /SUBSCRIPTIONS/aa11a111-11a1-1111-11a1-aa1111a11aaa /RESOURCEGROUPS/NETZWERK-NETZWERK-PROD-RG/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/HUBNVAHA-NETZWERK-PROD-NSG systemId: aa11a111-11a1-1111-11a1-aa1111a11aaa time: 2018-07-18T13:24:10.3603243Z } There are more then one flowTuple in one JSON Object which causes Problems at filtering IP's. Is it possible to modify the events at indexing time to have one event for every tuple like the following example? { category: NetworkSecurityGroupFlowEvent operationName: NetworkSecurityGroupFlowEvents properties: { Version: 1 flows: [ { flows: [ { flowTuples: [ 1531920192,11.11.111.111,12.12.122.122,1608,703,U,O,A ] mac: 000A1A111111 } ] rule: UserRule_AllowSelfOutBound } resourceId: /SUBSCRIPTIONS/aa11a111-11a1-1111-11a1-aa1111a11aaa /RESOURCEGROUPS/NETZWERK-NETZWERK-PROD-RG/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/HUBNVAHA-NETZWERK-PROD-NSG systemId: aa11a111-11a1-1111-11a1-aa1111a11aaa time: 2018-07-18T13:24:10.3603243Z } { category: NetworkSecurityGroupFlowEvent operationName: NetworkSecurityGroupFlowEvents properties: { Version: 1 flows: [ { flows: [ { flowTuples: [ 1531920222,11.11.111.111,12.12.122.122,14172,703,T,O,A ] mac: 000A1A111111 } ] rule: UserRule_AllowSelfOutBound } resourceId: /SUBSCRIPTIONS/aa11a111-11a1-1111-11a1-aa1111a11aaa /RESOURCEGROUPS/NETZWERK-NETZWERK-PROD-RG/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/HUBNVAHA-NETZWERK-PROD-NSG systemId: aa11a111-11a1-1111-11a1-aa1111a11aaa time: 2018-07-18T13:24:10.3603243Z } and so on.. I did ask a similar question on splunk answers which provides more information. Since noone could give me an answer I try to ask the question differently. Kind regards mdorobek

mdorobek · ‎06-20-2018

Even with using TERM() I still have the exact same issue as before. I don't think this is the right answer. Do you need any further information?

mdorobek · ‎06-19-2018

Hello there, I try to import Azure NSG flow Events. To get the data into Splunk I use the Splunk Add-on for Microsoft Cloud (https://splunkbase.splunk.com/app/3110/). Heres a anonymized example of a delivered JSON Object. {"time":"2018-06-06T09:00:09.2874215Z","systemId":"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx","category":"NetworkSecurityGroupFlowEvent","resourceId":"/SUBSCRIPTIONS/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/RESOURCEGROUPS/NETZWERK-NETZWERK-DUT-RG/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/HUBTRUSTED-NETZWERK-DUT-NSG","operationName":"NetworkSecurityGroupFlowEvents","properties":{"Version":1,"flows":[{"rule":"UserRule_AllowAllInBound","flows":[{"mac":"000D3A2DEF83","flowTuples":["1528275561,123.123.123.123,234.234.234.234,40531,2252,T,I,A","1528275571,12.12.12.12,23.23.23.23,39052,2095,T,I,A"]}]}]}}, For more information about the Azure NSG Logs: https://docs.microsoft.com/en-GB/azure/network-watcher/network-watcher-nsg-flow-logging-overview Heres the props.conf I wrote: [mscs:nsg:flow] DATETIME_CONFIG = KV_MODE = json LINE_BREAKER = }}(,) NO_BINARY_CHECK = true SEDCMD-remove_header = s/{\"records\":\[//g TIME_PREFIX = time\":\" TRUNCATE = 0 category = Network & Security disabled = false pulldown_type = true SEDCMD-add_closing_bracket = s/\s$/ }//g SEDCMD-correctly-close = s/]}(?!\S)//g SHOULD_LINEMERGE = true REPORT-tuples = extract_tuple SEDCMD-correctly-begin = s/^"time"/{"time"/g As you can see in the following image this works very well for me. (This is another log then the raw log) To extract the fields I wrote the following transforms.conf: [extract_tuple] REGEX = (?<timestamp>[0-9]{10}),(?<src_ip>[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}),(?<dest_ip>[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}),(?<src_port>[0-9]{1,5}),(?<dest_port>[0-9]{1,5}),(?<protocol>(T|U)),(?<traffic_flow>(I|O)),(?<traffic>(A|D)) MV_ADD = true Heres a example for two extracted fields with this configurration: And heres the problem I need some help. As far as I can see the fields get extracted correctly as multi value fields. But if I try to filter for a value like "dest_ip=234.234.234.234" I will get the four destination IP's "23.23.23.23", too. I guess Splunk shows every event with the minimum of one match. (and all other values of the event, too) Another issue I have got is that searches over 3 or 4 multivalue fields need a lot of time or cant even executed. Is there a better way to extract the fields? Best regards, mdorobek

mdorobek · ‎03-16-2018

Heres an example by using the coropleth map, I hope this helps: index=foo | eventstats count as total | iplocation src_ip | stats count by Country, total | eval percentage=round((count/total)*100, 2) | fields Country, percentage | eval percentage=case(percentage<10,"<10%",percentage<20,"10-20%", percentage<30,"20-30%", percentage<40,"30-40%", percentage<50,"40-50%", percentage<60,"50-60%", percentage<70,"60-70%", percentage<80,"70-80%", percentage<80,"80-90%", percentage<100,"90-100%") | geom geo_countries featureIdField=Country

mdorobek · ‎10-23-2017

@niketnilay Theres no need to say sorry, I am more than pleased with youre answer. Atleast i can screenshot the panels and use them in some presentations 🙂

mdorobek · ‎10-23-2017

@niketnilay the answer works perfectly. Sadly it doesn't work for scheduled pdf delivery.

mdorobek · ‎10-18-2017

Hello DalJeanis, I have read the documentation and I am aware that colorby is a binary option. Yet I have the hope that someone knows an existing workaround. If there is no other answer in a few days, I'll accept the answer and close the question.

mdorobek · ‎10-18-2017

I did add a picture. I hope this helps.

mdorobek · ‎10-17-2017

A single value in Splunk has the following simple xml code: <single> <search> <query></query> <earliest></earliest> <latest></latest> </search> <option name="colorBy">trend</option> <option name="colorMode">none</option> <option name="drilldown">none</option> <option name="height">150</option> <option name="numberPrecision">0</option> <option name="rangeColors">["0x65a637","0x6db7c6","0xf7bc38","0xf58f39","0xd93f3c"]</option> <option name="rangeValues">[0,30,70,100]</option> <option name="showSparkline">1</option> <option name="showTrendIndicator">1</option> <option name="trendColorInterpretation">inverse</option> <option name="trendDisplayMode">absolute</option> <option name="trendInterval">-1mon</option> <option name="underLabel"></option> <option name="unitPosition">after</option> <option name="useColors">1</option> <option name="useThousandSeparators">1</option> </single> The option "colorBy" allows the values "trend" and "value". The left image is an example for the color by value, the right one for a panel with the color by trend: I would like to have both options enabled in my panel. Is there a possibility in simple xml to set the color of the single value and the trend seperated in one panel? Thanks!

Posts	40
Solutions	4
Karma Given	16
Karma Received	12
Member Since	‎03-13-2015

Online Status	Offline
Date Last Visited	‎02-07-2024 06:03 AM

Custom Authentication Handler for session id

Modify JSON Objects at indexing time

How do I import Azure NSG LOGs?

Can we set two different colors for single-value a...

Why am I missing some Nessus Events?

Using join to show fields for two sourcetypes in o...

Re: Specify Fields for Outputlookup or Outputcsv

Re: Before Indexing Filter Based ON JSON format da...

Re: Before Indexing Filter Based ON JSON format da...

Re: Before Indexing Filter Based ON JSON format da...

Re: Before Indexing Filter Based ON JSON format da...

Re: Before Indexing Filter Based ON JSON format da...

Re: Before Indexing Filter Based ON JSON format da...

Re: how can i change column values to field names

Re: how can i change column values to field names

Re: how can i change column values to field names

Re: How can I measure the dashboard load time ?

Re: Custom Authentication Handler for session id

Re: Custom Authentication Handler for session id

Custom Authentication Handler for session id

Re: how to use mvexpand in props.conf

Re: Import Azure NSG LOGs

Modify JSON Objects at indexing time

Re: Import Azure NSG LOGs

How do I import Azure NSG LOGs?

Re: Question regarding heat map and tile visualiza...

Re: Can we set two different colors for single-val...

Re: Can we set two different colors for single-val...

Re: Can we set two different colors for single-val...

Re: Can we set two different colors for single-val...

Can we set two different colors for single-value a...

Are you a member of the Splunk Community?