Activity Feed
- Posted Re: Field extraction on lookup table on Splunk Search. 07-30-2020 07:59 PM
- Posted Re: Field extraction on lookup table on Splunk Search. 07-30-2020 01:43 AM
- Posted How to perform a field extraction on a field from a lookup table? on Splunk Search. 07-29-2020 01:31 AM
- Got Karma for Re: How to run an ldapsearch to find all users in an OU in Active Directory, then export all users' events to a table?. 06-05-2020 12:48 AM
- Posted Re: How to loop through all the results and send an email to each user on Splunk Dev. 10-23-2018 08:52 PM
- Posted How to loop through all the results and send an email to each user on Splunk Dev. 10-17-2018 10:44 PM
- Tagged How to loop through all the results and send an email to each user on Splunk Dev. 10-17-2018 10:44 PM
- Posted Re: How to create a regex that captures the first 6 characters of a mac address and removes the hyphen characters? on Splunk Search. 07-17-2018 09:06 PM
- Posted Re: How to create a regex that captures the first 6 characters of a mac address and removes the hyphen characters? on Splunk Search. 07-17-2018 09:02 PM
- Posted How to create a regex that captures the first 6 characters of a mac address and removes the hyphen characters? on Splunk Search. 07-17-2018 05:56 PM
- Tagged How to create a regex that captures the first 6 characters of a mac address and removes the hyphen characters? on Splunk Search. 07-17-2018 05:56 PM
- Tagged How to create a regex that captures the first 6 characters of a mac address and removes the hyphen characters? on Splunk Search. 07-17-2018 05:56 PM
- Tagged How to create a regex that captures the first 6 characters of a mac address and removes the hyphen characters? on Splunk Search. 07-17-2018 05:56 PM
- Posted Re: I'm trying to perform a subsearch on lookup table and extract two fields using a or statement on Splunk Search. 08-11-2016 04:32 PM
- Posted I'm trying to perform a subsearch on lookup table and extract two fields using a or statement on Splunk Search. 08-10-2016 06:50 PM
- Tagged I'm trying to perform a subsearch on lookup table and extract two fields using a or statement on Splunk Search. 08-10-2016 06:50 PM
- Posted Re: Splunk Support for Active Directory: How to search a list of users whose accounts will expire within 30 days of today's date? on All Apps and Add-ons. 06-01-2016 04:23 PM
- Posted Re: Splunk Support for Active Directory: How to search a list of users whose accounts will expire within 30 days of today's date? on All Apps and Add-ons. 06-01-2016 03:37 PM
- Posted Splunk Support for Active Directory: How to search a list of users whose accounts will expire within 30 days of today's date? on All Apps and Add-ons. 06-01-2016 01:55 AM
- Tagged Splunk Support for Active Directory: How to search a list of users whose accounts will expire within 30 days of today's date? on All Apps and Add-ons. 06-01-2016 01:55 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
07-30-2020
07:59 PM
I need to create another field from the field generated by the table lookup. Here is the line which creates the lookup table field "LOOKUP-privilege_for_windows_security = windows_privilege_lookup privilege_id OUTPUT privilege" I can use LOOKUP-privilege_for_windows_security = windows_privilege_lookup privilege_id OUTPUT privilege AS MyNewField with works, but I lose the field name privilege, which might cause other dashboards to stop working. I can't post the props.conf as it exceeds 20000 characters.
... View more
07-30-2020
01:43 AM
Thanks, Splunk Enterprise Security requires the field for the CIM to build the data model. I won't be able to run it as a SPL as the data models are built as a background task.
... View more
07-29-2020
01:31 AM
Hi,
How to perform a field extraction on a field from a lookup table?
I'm trying to add another field so the data model in Splunk Enterprise Security can recognise the field.
The issue i'm having is field extraction in props.conf and transforms.conf happen before the lookup table.
I tried the AS command after OUTPUT on the lookup, but it renames the default field from the Windows Add-on. I only want to add another field and not rename the fields in the Add-on. REPORT- in props.conf and transforms.conf works on any other field except fields from lookup tables.
I need to perform the field extraction in the Add-on and not in SPL.
Thanks in advanced.
... View more
10-23-2018
08:52 PM
I've tried many different combinations and got it working with the map search command.
When I used the map command with sendemail, the variables changed from $result.field$ to $field$, to use the field as a variable. I also had to escape the quotation marks within the map command.
Here is my search query that worked for anyone else facing the same issue.
| inputlookup ActiveDirectory_Users.csv
| eval AccountExpiryEpoch=strptime(accountExpires,"%Y-%m-%dT%H:%M:%S%Z") | where AccountExpiryEpoch < relative_time(now(),"+30d@d") AND AccountExpiryEpoch >=now()
| eval AccountExpiresTime=strftime(AccountExpiryEpoch ,"%A, %e %B %Y") | eval AccountExpiresDate=strftime(AccountExpiryEpoch ,"%d/%m/%Y %I:%M:%S %p")
| eval UppergivenName = upper(substr(givenName,1,1)).lower(substr(givenName,2)) | eval Uppersn = upper(substr(sn,1,1)).lower(substr(sn,2))
| map search="
| sendemail from=\"helpdeskemail\" to=\"$mail$\" bcc=helpdeskemail subject=\"Account Expiring\" message="
Dear $UppergivenName$ $Uppersn$,
Your account ($UppergivenName$ $Uppersn$) is due to expire on $AccountExpiresTime$.
\"
"
... View more
10-17-2018
10:44 PM
Hi,
I'm unable to figure out how to loop through for each row result and send an email.
The first row works correct and sends the user an email that their account is expiring within 30 days, with the below Splunk search.
I've performed a search on Google and found I need to use the map command, but I'm unable to make the below search work with the map command in different areas of the below code.
To recap I'm downloading all the Active Directory users to a lookup table every night with their account details. I now have the lookup table and want to email users when their account is 30 days from expiring. I can only get the first result from my search to work and unable to perform the same function on each row.
| inputlookup ActiveDirectory_Users.csv
| eval AccountExpiryEpoch=strptime(accountExpires,"%Y-%m-%dT%H:%M:%S%Z") | where AccountExpiryEpoch < relative_time(now(),"+30d@d") AND AccountExpiryEpoch >=now()
| eval AccountExpiresTime=strftime(AccountExpiryEpoch ,"%A, %e %B %Y") | eval AccountExpiresDate=strftime(AccountExpiryEpoch ,"%d/%m/%Y %I:%M:%S %p")
| eval UppergivenName = upper(substr(givenName,1,1)).lower(substr(givenName,2)) | eval Uppersn = upper(substr(sn,1,1)).lower(substr(sn,2))
| table AccountExpiresDate, AccountExpiresTime, UppergivenName, Uppersn, mail
| sendemail from="helpdeskemail" to="$result.mail$" bcc=helpdeskemail subject="Account Expiring" message="
Dear $result.UppergivenName$ $result.Uppersn$,
Your account ($result.UppergivenName$ $result.Uppersn$) is due to expire on $result.AccountExpiresTime$.
"
... View more
- Tags:
- splunk-enterprise
07-17-2018
09:06 PM
Thanks, I got it working by using (?<one>\w+)-(?<two>\w+)-(?<three>\w+)-(?<four>\w+)-(?<five>\w+)-(?<six>\w+)
Then I'll make upper case and concatenate one+two+three
... View more
07-17-2018
09:02 PM
Thanks, I got it working by using [(?\w+)-(?\w+)-(?\w+)-(?\w+)-(?\w+)-(?\w+)
I will make it in upper case and concatenate one+two+three in Splunk.
Thanks
... View more
07-17-2018
05:56 PM
I'm unable to create a regex that captures the first 6 characters of a mac address and removes the hyphen characters.
Here is the source data 00-2b-73-ab-1e-75
I need to change the source to 002B73
Here's my search | rex field =ClientId "(?) "
I'm getting stuck finding a regex statement that matches.
... View more
08-11-2016
04:32 PM
Thanks worked perfectly.
... View more
08-10-2016
06:50 PM
Hi
I'm trying to perform a subsearch to get a list of users in a lookup table and map the mail field to recipients and sender and perform a
search on recipients or sender. At the moment it's only performing the search if the recipients and senders are both as the recipients and sender .
Is there is a way to change it to search for recipients or senders that match to the fields instead of both fields need to match?
Here is my current search.
index=msexchange sourcetype="MSExchange:2010:MessageTracking" recipients=* OR sender=* [| inputlookup Finance_Users.csv | eval recipients = mail | eval sender = mail | fields recipients, sender] | dedup message_id | eval DLM = coalesce(SEC,DLM) |sort by -_time | convert timeformat="%d/%m/%Y %I:%M:%S %p" ctime(_time) | table _time, sender, recipient, message_subject, DLM | rename sender as Sender, recipient as Recipient, _time as Time, message_subject as Subject
... View more
- Tags:
- splunk-enterprise
06-01-2016
04:23 PM
I have the users email address from Active Directory in the lookup table. Is there a way Splunk can turn the users email address into a variable then send a email to the individual email addresses it finds in the report? Currently we send the report to the Service Desk and the Service Desk calls the user advising them they need to start the process in getting their accounts extended. It will be nice if Splunk could also email the users.
... View more
06-01-2016
03:37 PM
Thanks that worked perfectly.
... View more
06-01-2016
01:55 AM
I'm trying to generate a list of users whose accounts will expire within 30 days of today's date.
I first download the Active Directory users to a CSV lookup table using ldapsearch. Then I turn the account expires field into Epoch time and I run the following search commands. I can't accurately get the accounts that expire in 30 days. I tested the epoch time using a epoch time converter which tested fine. Here are the commands I've tested.
|inputlookup AGSEC_Users | eval AccountExpiryEpoch=strptime(accountExpires,"%Y-%m-%dT%H:%M:%SZ") | eval DaysLeft = (now() - AccountExpiryEpoch)/86400 | where DaysLeft<=30 | table displayName, sAMAccountName, accountExpires, AccountExpiryEpoch
and I've tested this:
|inputlookup AGSEC_Users | eval AccountExpiryEpoch=strptime(accountExpires,"%Y-%m-%dT%H:%M:%SZ") | where AccountExpiryEpoch < relative_time(now(),"-30d@d") | table displayName, sAMAccountName, accountExpires, AccountExpiryEpoch
both return results but not accounts that will expire in within 30 days.
... View more
05-23-2016
06:51 PM
1 Karma
Thanks
This solved the problem:
index=safend source=Safend_DataEventsView sourcetype=dbx2 [| ldapsearch domain=internal.local basedn="OU=Finance,OU=Users,DC=internal,DC=local" scope="sub" search="(objectClass=user)" | eval User =lower(userPrincipalName) | fields User] | sort by -_time | convert timeformat="%d/%m/%Y %I:%M:%S %p" ctime(_time) | replace 0 with Read, 1 with Write | eval megabytes=((FileSize/1024)/1024) | eval "File Size"= megabytes + " MB" | table _time, User, FileName, FileExtension, ClientHost, DeviceDescription, FileOperation, "File Size" , IPAddresses, PolicyName, ClientVersion | rename _time as Time, DeviceDescription as "Device Description", FileName as "File Name", FileExtension as "File Extension", ClientHost as "From PC", FileOperation as "File Operation", PolicyName as "Policy Name", IPAddresses as "IP Address", ClientVersion as "Client Version"
... View more
05-22-2016
06:07 PM
I need to find all the users in a OU in Active Directory, currently I run:
| ldapsearch domain=internal.local basedn=,OU=Finance,OU=Users,DC=internal,DC=local" scope="sub" search="(objectClass=user)"
That gets me all the users in the OU. I also export all the users event from safend to a table using:
index=safend source=Safend_DataEventsView sourcetype=dbx2 | sort by -_time | convert timeformat="%d/%m/%Y %I:%M:%S %p" ctime(_time) | replace 0 with Read, 1 with Write | eval megabytes=((FileSize/1024)/1024) | eval "File Size"= megabytes + " MB" | table _time, User, FileName, FileExtension, ClientHost, DeviceDescription, FileOperation, "File Size" , IPAddresses, PolicyName, ClientVersion | rename _time as Time, DeviceDescription as "Device Description", FileName as "File Name", FileExtension as "File Extension", ClientHost as "From PC", FileOperation as "File Operation", PolicyName as "Policy Name", IPAddresses as "IP Address", ClientVersion as "Client Version"
I need to find a way I can first find the users using the ldapsearch and then generate a table using the above command.
When I run the LDAP command in a subsearch, no data is shown to run the second command find.
... View more
04-05-2016
12:34 AM
I'm trying to extract a field called Item_Name using the file props.conf on the search head. I'm currently using this in the props.conf file which isn't working:
EXTRACT-Item_Name = (?<=Item Name:).(.*?).(?=suid=)
I would like to extract all the texts between Item Name and suid= into a field called Item_Name.
Below is the events
2016-04-05T13:10:12+10:00 AFVWS05 CEF: 0|Thycotic Software|Secret Server|8.9.030008|10040|SECRET - PASSWORD_COPIED_TO_CLIPBOARD|2|msg=[SecretServer] Event: [Secret] Action: [Password Copied to Clipboard] By User: internal.local\\ddonald Item Name: Service Account for SCCM (System Center Configuration Manager) Container Name: Miscellany suid=14 suser=internal.local\\ddonald cs4=internal.local\\Donald, David cs4Label=suser Display Name src=24.1.0.5 rt=Apr 05 2016 03:10:09 fname=Service Account for SCCM (System Center Configuration Manager) fileType=Secret fileId=345 cs3Label=Folder cs3=Miscellany
Thanks
... View more
