Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About marco_massari11
marco_massari11
Communicator
Member since:
11-13-2020
Monday
Community Statistics
| Posts | 63 |
| Solutions | 1 |
| Karma Given | 27 |
| Karma Received | 0 |
| Member Since | 11-13-2020 |
Activity Feed
- Posted Re: Issue with transforms.conf on Getting Data In. Monday
- Posted Issue with transforms.conf on Getting Data In. Monday
- Posted Re: Windows events filtering not working on Getting Data In. 03-22-2024 09:44 AM
- Posted Re: Windows events filtering not working on Getting Data In. 03-21-2024 05:04 AM
- Karma Re: Windows events filtering not working for marnall. 03-21-2024 05:04 AM
- Posted Windows events filtering not working on Getting Data In. 03-21-2024 02:56 AM
- Karma Re: Use license on two standalone instances for PickleRick. 01-26-2024 02:21 AM
- Karma Re: Use license on two standalone instances for isoutamo. 01-26-2024 02:21 AM
- Posted Use license on two standalone instances on Splunk Enterprise. 01-26-2024 01:17 AM
- Karma Re: Extract any character when dot is present for gcusello. 02-13-2023 06:28 AM
- Posted Extract any character when dot is present? on Splunk Search. 02-13-2023 06:13 AM
- Posted Re: How to split single sourcetype in multiple ones based on json field value? on Getting Data In. 12-08-2022 01:22 PM
- Posted How to split single sourcetype in multiple ones based on json field value? on Getting Data In. 12-08-2022 08:39 AM
- Karma Re: Extract same fields from different logs? for gcusello. 12-05-2022 07:01 AM
- Posted Re: Extract same fields from different logs? on Splunk Search. 12-05-2022 05:53 AM
- Posted How to extract same fields from different logs? on Splunk Search. 12-05-2022 05:15 AM
- Posted Re: Extract JSON fields with transforms.conf from UI on Getting Data In. 11-07-2022 04:06 PM
- Karma Re: Extract JSON fields with transforms.conf from UI for bowesmana. 11-07-2022 04:06 PM
- Posted How to extract JSON fields with transforms.conf from UI? on Getting Data In. 11-07-2022 12:49 PM
- Karma Re: How to exclude results if some conditions? for richgalloway. 09-16-2022 02:21 AM
Monday
Hello @marnall , I already tested both regex in regex101 and there is not overlapping, this is why I do not understand why it's not working.
... View more
Monday
Hello,
I have a standalone Splunk Enterprise 9.1.3 instance with some DCs and servers connected to it using Forwarder Management console. At the moment I have 2 server classes configured, 1 for the DCs and the other one for the servers. The server class for the DCs includes only the inputs.conf file for Windows logs:
[WinEventLog://Security]
disabled = 0
index = myindex
followTail=true
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
whitelist = 4624,4634,4625,4728,4729
renderXml=false
Moreover, in the Splunk Enterprise I configured 2 transforms for splitting the logs in two separeted indexes, like this:
props.conf:
[WinEventLog:Security]
TRANSFORMS-security = rewrite_ad_group_management, rewrite_index_adm
transforms.conf:
[rewrite_ad_group_management]
REGEX = EventCode=(4728|4729)
DEST_KEY = _MetaData:Index
FORMAT = index1
[rewrite_index_adm]
REGEX = Account Name:\s+.*\.adm
DEST_KEY = _MetaData:Index
FORMAT = index2
In particular, the goal is to forward the authentication events (4624,4634,4625) for only admin users (Account Name:\s+.*\.adm) in index2 and only EventCode 4728 and 4729 in index1, and the events that not match none transform should remain in myindex. At the moment the first transform is not working, so I'm receiving Events 4728 and 4729 in index2, am I missing something or there is a better logic to do that? I tried to combine also 4624,4634,4625 and Account Name:\s+.*\.adm with
(?ms)EventCode=(4624|4634|4625)\X*Account Name:\s+.*\.adm
Thanks in advance
... View more
Labels
- Labels:
-
inputs.conf
-
props.conf
-
transforms.conf
03-22-2024
09:44 AM
It seems that the regex is not working, because the events are still arriving in index1, I tried different regexes but is the same
... View more
03-21-2024
05:04 AM
Hello, thanks for the clarification. Your solution is about to send all the events that match (?ms)EventCode=(4624|4634|4625)\s+.*\.adm in a specific index, but what about if I want to send the not matched events to another index?
... View more
03-21-2024
02:56 AM
Hello, I'having some problem when filtering standard Windows events. My goal is to send the events coming from my UFs to two different indexes based on the users. If the user ends with ".adm" the index should be index1, otherwhise index2. Here is my regex for filtering https://regex101.com/r/PsEHIp/1 I put it in inputs.conf ###### OS Logs ######
[WinEventLog://Security]
disabled = 0
index = index1
followTail=true
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist = (?ms)EventCode=(4624|4634|4625)\s+.*\.adm
renderXml=false
... View more
01-26-2024
01:17 AM
Hello, I have to migrate from an old Splunk standalone instance (version 6.4) to a new one. Is it possible to use in the new instance the same license currently used in the old one in production? Is there anything I need to pay attention to? Thank you in advance!
... View more
Labels
02-13-2023
06:13 AM
Hi,
I have different mails in my logs and I need to filter them in order to distinguish real users from technical users. I noticed that real users have an email like name.surname@company.com, so I would like to extract these emails matching "anycharacter.anycharacter@any" because in some case it could be possible to have an email with numbers (ex. name.surname1@company.com).
Thank you in advance!
... View more
Labels
- Labels:
-
field extraction
-
other
-
regex
-
rex
12-08-2022
01:22 PM
Hi @Atriarc , my idea was to configure such a parser, maybe in the indxer before indexing.
... View more
12-08-2022
08:39 AM
Hi all,
recently my customer asked me to integrate different JSON log sources (VPN concentrator, WAF and Load Balancers) comeing from only one Azure event hub. I onboarded it using the Splunk Add-on for Microsoft Cloud Services (https://splunkbase.splunk.com/app/3110) from the Inputs Data Manager Instance (IDM) and I selected the deafult sourcetype "mscs:azure:eventhub". At this point I need to split this sourcetype in three new ones, one for each log type (VPN concentrator, WAF and Load Balancers) distinguishing them and creating custom field extractions and so on for the Data Models. I found a field "category" within the JSON logs which can be used as splitting criteria:
Have you any idea to do that?
Thanks in advance!
... View more
Labels
12-05-2022
05:53 AM
Ciao Giuseppe, The correct MAC address is the one in the first parenthesis and it should be extracted when present, so I'm not interested in the second one at the end of the log. Moreover, I would like to extract these fields only when I find "joins" within the log, because it means a login success, in this way I can put in the transform format action::success and reason::success for the Authentication Data Model. Ciao Marco @gcusello
... View more
12-05-2022
05:15 AM
Hi all,
I need to extract some fields for authentication events from different log types, here below some example:
LOG1
: AddSenaoLog%Client-6:LINUX_device(00:00:00:00:00:00/1.1.1.1) joins WLAN(WIFI) from MY-WIFI-0000-INT(00:00:00:00:00:00)
LOG2 : AddSenaoLog%Client-6:(00:00:00:00:00:00) joins WLAN(WIFI-CITYLIFE) from MY-WIFI-0000-INT(00:00:00:00:00:00)
LOG3
%Client-6:LINUX_device(00:00:00:00:00:00/1.1.1.1) joins WLAN(WIFI-OSPITI) from MY-WIFI-0000-INT(00:00:00:00:00:00) LOG4
%Client-6:(00:00:00:00:00:00) joins WLAN(WIFI-OSPITI) from MY-WIFI-0000-INT(00:00:00:00:00:00)
As you can see in some case (LOG2 and LOG4) in the first parenthesis I have only the MAC address, in other cases (LOG1 and LOG3) I have both the IP and the MAC address, so I need to extract this two information (or only the MAC if the IP is missig as for LOG2 and LOG4) when I have "joins" in the logs.
Thanks in advance!
... View more
11-07-2022
04:06 PM
Hi @bowesmana , it seems working fine, but this field properties.authenticationDetails{}.succeeded is not always present within the logs, so in this case I will have action=failure even if the field is not present. Is there a solution to populate the field action only when the field properties.authenticationDetails{}.succeeded is present? Thank you in advance!
... View more
11-07-2022
12:49 PM
Hi,
I need to extract several fields from my JSON logs. For example I have a login event like this:
I need to create e field "action" when category=SignInLogs and succeeded (last field) is equal to true or false generating the field action=success or action=failure to be CIM compliant. This value is already extracted under the field "properties.authenticationDetails{}.succeeded. Is it possible to do that by fields transformation in Splunk UI?
Thanks in advance!!
... View more
Labels
09-15-2022
01:37 PM
Hi @richgalloway, as you can see in the screen attached the result returns the specified user with src=dest. Have you any other advice? Thanks in advance!
... View more
09-15-2022
11:48 AM
Hi @richgalloway , "not working" means that in the result I always have the events where src_user=user1 and src=dest. How can I specify it with where? Thank you in advance!
... View more
09-15-2022
09:03 AM
Hi All,
I have the following saved search:
| tstats summariesonly=true fillnull_value="N/D" count from datamodel=Change where NOT [|`change_whitelist_generic`] nodename="All_Changes.Account_Management.Accounts_Updated" AND All_Changes.log_region=* AND All_Changes.log_country=* AND (All_Changes.command=passwd OR All_Changes.result_id IN (4723, 4724)) by All_Changes.log_region, All_Changes.log_country, index, host, All_Changes.Account_Management.src_user, All_Changes.user, _time
| `drop_dm_object_name("All_Changes")`
| rename Account_Management.src_user as src_user
My customer asked to me to exclude results when Account_Management.src_user=user1 and All_Changes.Account_Management.src_nt_domain=All_Changes.Account_Management.dest_nt_domain. So I tried something like that but it seems not working:
| tstats summariesonly=true fillnull_value="N/D" count from datamodel=Change where NOT
[| `change_whitelist_generic`] nodename="All_Changes.Account_Management.Accounts_Updated" AND All_Changes.log_region=* AND All_Changes.log_country=* AND (All_Changes.command=passwd OR All_Changes.result_id IN (4723, 4724)) by All_Changes.log_region, All_Changes.log_country, index, host, All_Changes.Account_Management.src_user, All_Changes.user, All_Changes.Account_Management.dest_nt_domain, All_Changes.Account_Management.src_nt_domain, _time
| `drop_dm_object_name("All_Changes")`
| search NOT (Account_Management.src_user=user1 AND Account_Management.src_nt_domain=Account_Management.dest_nt_domain)
| rename Account_Management.src_user as src_user
Have you any advice?
Thank you!
... View more
09-09-2022
09:08 AM
Hi, I have similar authentication logs as below: LOG 1: 03362 auth: ST1-CMDR: User 'my-global\admin' logged in from IP1 to WEB_UI session LOG2: %%10WEB/4/WEBOPT_LOGIN_SUC(l): admin logged in from IP2 The regex below works only for event LOG2: (?<user>\w+)\slogged\sin\sfrom\s(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) Probably it doesn't match special characters, any idea to solve that? Thank you in advance!
... View more
Labels
- Labels:
-
field extraction
-
fields
-
regex
-
rex
09-02-2022
03:47 AM
Hi,
I'm trying to extract some fields from my Access Point Aruba in order to be CIM compliant. For authentication log I have two kinds of event:
Login failed:
cli[5405]: <341004> <WARN> AP:ML_AP01 <................................> Client 60:f2:62:8c:a8:a7 authenticate fail because RADIUS server authentication failure
Login success:
stm[5434]: <501093> <NOTI> AP:ML_AP01 <..................................> Auth success: 60:f2:62:8c:a8:a7: AP ...................................ML_AP01
My goal is to extract the mac address after "Client" in the first log and the mac after "Auth success" in the second one in a common field called "src", can someone please help me?
Thanks in advance!
... View more
Labels
- Labels:
-
field extraction
-
host
-
props.conf
-
syslog
06-10-2022
01:33 AM
Hi,
I have a lookup containing some admin users and I need to add some text like "ADS_" before the username to distinguish them from normal users. I tried:
index=myindex tag=authentication
| lookup Ads.csv Utenza AS username OUTPUT Gruppo
| fillnull value=NULL
| eval username=if(Gruppo="NULL",username, ADS_.username)
| eval action=if(match(details_message,"opened a Web Portal"),"success",action)
| search action=success dest_host!="- -"
| stats count by username
| sort count desc
what I'm missing?
Thanks in advance!
... View more
Labels
- Labels:
-
other
-
panel
-
single value
-
table
05-31-2022
06:45 AM
Ciao Giuseppe, l'obiettivo finale sarebbe di individuare quando allo stesso istante, indipendentemente dall' ip, si presentano un evento di login e un cambio password, quindi gli altri eventi non rientrerebbero nella casistica. Una volta individuati i due eventi, metterei in una table il time e altre informazioni a me utili. Spero di aver chiarito lo scopo. Ti ringrazio molto per il tuo tempo Grazie, Marco
... View more
05-31-2022
05:36 AM
Hi Giuseppe, yes it's possible and your query is exactly what I need, but I have a problem because it's possible to have many events with login and reset at different times, like this: 1.1.1.1 - - [31/May/2022:09:46:48 +0200] "POST /PasswordChange/ HTTP/1.1" 200... 1.1.1.1 - - [31/May/2022:09:46:22 +0200] "POST /PasswordChange/ HTTP/1.1" 200... 1.1.1.1 - - [31/May/2022:09:38:39 +0200] "GET /PasswordChange/ HTTP/1.1" 200... 1.1.1.1 - - [31/May/2022:09:38:39 +0200] "GET /servlet/Login HTTP/1.1".... So the 2 events at 09:38:39 should be appear in the table but it's not because the dc_time is equal to 3 cause events above
... View more
05-31-2022
03:28 AM
Hi,
I'm looking for users that login into an application and reset the password at the same time . The logs involved are like this:
Login:
1.1.1.1 - - [31/May/2022:11:15:03 +0200] "POST /servlet/Login HTTP/1.1" 200.....
Pwd Change:
1.1.1.1 - - [31/May/2022:11:15:03 +0200] "GET /PasswordChange/ HTTP/1.1" 200 .......
IP: 1.1.1.1
action : /servlet/Login, /PasswordChange
Ip and action are already extracted, So I need something like if IP1=IP2 and time1=time2 and action1=login and action2=pwdchange.
Thanks in advance!
... View more
02-15-2022
08:57 AM
Hi,
I have different log types like:
<SQL > <TID: 0000000050> <RPC ID: 0002424958> <Queue: List > <Client-RPC: 390620 > <USER: *** > <Overlay-Group: 1 > /* Fri Feb 04 2022 17:47:10.0461 */SELECT * FROM ( SELECT T226.C1,C600000451 FROM T226 WHERE (('CC0000132482648' = T226.C600000451) AND ('7459898' = T226.C600000001)) ORDER BY 1 ASC ) WHERE ROWNUM <= 2
Or
<SQL > <TID: 0000000056> <RPC ID: 0002424078> <Queue: Fast > <Client-RPC: 390620 > <USER: *** > <Overlay-Group: 1 > /* Fri Feb 04 2022 17:46:53.9515 */SELECT C999003082 FROM T226 WHERE C1 = 'CC0000272965790'
I need to extract the CC* value, for example in this case CC0000132482648 (first log) and CC0000272965790 (second log).
Thanks in advance!
... View more
Labels
- Labels:
-
field extraction
-
fields
-
other
-
regex
-
rex
10-22-2021
05:32 AM
Hi, I have a query like this: index=star eventtype=login-history action=success Username=** | stats count by Username | sort - count | head 10 So in my result I have a list of username with the login count for each one. I know some users are bot, so I want to add a string before the username like BOT_Username, probably with if condition. For example, in my result I have: Alice 10 Bob 8 Carol 7 David 4 Eddie 2 I know Alice and Bob are bot, so I need: BOT_Alice 10 BOT_Bob 8 Carol 7 David 4 Eddie 2 Thanks in advance!
... View more
Labels
- Labels:
-
other
-
single value
04-28-2021
06:34 AM
Hi, I need to filter out some events from a syslog source. The events are like this: Apr 28 14:15:09 10.130.4.203 Apr 28 14:15:09 hostname: User **** : Sign Off, ID: **, InstID: 4731, IPAddress: *****, FolderID: 0, Username: ******, AgentBrand: -, AgentVersion: -, XFerSize: 0, Error: 0 Apr 28 14:15:09 10.130.4.203 Apr 28 14:15:09 hostname: User **** : Upload, ID: **, InstID: 4731, IPAddress: *****, FolderID: 1234, Username: ******, AgentBrand: -, AgentVersion: -, XFerSize: 0, Error: 0 Apr 28 14:15:09 10.130.4.203 Apr 28 14:15:09 hostname: User **** : Sign Off, ID: **, InstID: 2819, IPAddress: *****, FolderID: 0, Username: ******, AgentBrand: -, AgentVersion: -, XFerSize: 0, Error: 0 I have two different InstID (4731 and 2819) and many FolderID, so I need to keep all the events with InstID:2189 and the events whith InstID:4731 and FolderID:0, so my goal is to discard by props.conf and transforms.conf all the events that have InstID:4731 and FolderID different from 0 Any help? Thanks in advance
... View more
Labels
