×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Lombs
Engager
Member since: ‎10-23-2020
‎07-09-2021
Community Statistics
Posts 1
Solutions 0
Karma Given 1
Karma Received 1
Member Since ‎10-23-2020
Topics I've Started
View All

LISPY issues with Windows Defender Logs

by in Splunk Search
‎05-04-2021 11:26 PM
1 Karma
‎05-04-2021 11:26 PM
1 Karma
Hey Splunkers, in the last days I'm trying to learn and understand the principles of LISPY to understand the fllowing phenomenon. By now I can tell that I've learned a lot but still can't comprehend the behaviour of Splunk putting its LISPY queries  together. Szenario: Our analysts are working with Windows Defender Logs and therefore we are using two TAs (https://splunkbase.splunk.com/app/3734/ and https://splunkbase.splunk.com/app/5208/) to extract and normalize the data. The TA by nextpart does a renaming of the source and a automatic lookup as you can see in this props.conf   [source::...WinEventLog:Microsoft-Windows-Windows Defender/Operational] # Default shorten to easy readable source EVAL-source = "XmlWinEventLog:Defender" LOOKUP-CategoryString_for_windows = windefender_signature_lookup signature_id OUTPUTNEW action, CategoryString, result, subsystem ...    I understand what is happening here so far, but now we have a strange behaviour whie running SPL on the data where we used the fields "index", "source" and "CategoryString". "CategoryString" comes as output fromthe automatic lookup. That was when i took a closer look at the LISPY and was able to locate the problem: SPL LISPY Results index=indexname source="XmlWinEventLog:Defender" CategoryString=action [ AND action index::indexname [ OR source::*wineventlog:microsoft-windows-windows\ defender/operational source::xmlwineventlog:defender ] ] No  index=indexname SourceName="Microsoft-Windows-Windows Defender" CategoryString=action [ AND defender index::indexname microsoft windows [ OR action source::*wineventlog:microsoft-windows-windows\ defender/operational ] ]  Yes As far as I understand the string "action" is not found in tsidx file as it is returned as a field value from a automatic lookup and that's why our first LISPY does not provide any data and the SPL gives back 0 results. In the second SPL where we used SourceName (not indexed) instead of Source (indexed) the LISPY looked different and worked as the string "action" is now in OR-clause and not in the AND-clause at the beginning... My questions now are: As I'm a very curious guy, can someone explain this behaviour to me? What would / could be a good way or workaround to "fix" this so that the field "source" and "CategoryString" can be used together? Regards, Lombs ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎07-09-2021 10:33 AM
Karma from
View All
Karma given to
View All