Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About Flo-Paris
Flo-Paris
Explorer
Member since:
04-18-2021
05-27-2021
Community Statistics
| Posts | 13 |
| Solutions | 0 |
| Karma Given | 3 |
| Karma Received | 0 |
| Member Since | 04-18-2021 |
Activity Feed
- Posted Re: Universal Forwarder and AppLocker Events XML on Getting Data In. 05-27-2021 08:11 AM
- Posted Re: Universal Forwarder and AppLocker Events XML on Getting Data In. 05-27-2021 08:11 AM
- Posted Re: Universal Forwarder and AppLocker Events XML on Getting Data In. 05-27-2021 08:10 AM
- Posted Re: Help on REGEX match ignoring non-mandatory string at its end on Splunk Search. 05-03-2021 01:02 PM
- Karma Re: Help on REGEX match ignoring non-mandatory string at its end for maciep. 05-03-2021 01:01 PM
- Posted Help on REGEX match ignoring non-mandatory string at its end on Splunk Search. 05-03-2021 10:57 AM
- Posted Re: Field Extraction : regex works fine with search using "rex" command but not with Field extraction on Splunk Search. 04-21-2021 06:17 AM
- Posted Re: Field Extraction : regex works fine with search using "rex" command but not with Field extraction on Splunk Search. 04-21-2021 06:11 AM
- Posted Re: Field Extraction : regex works fine with search using "rex" command but not with Field extraction on Splunk Search. 04-21-2021 06:08 AM
- Posted Re: Field Extraction : regex works fine with search using "rex" command but not with Field extraction on Splunk Search. 04-21-2021 06:06 AM
- Posted Field Extraction : regex works fine with search using "rex" command but not with Field extraction on Splunk Search. 04-21-2021 06:03 AM
- Karma Re: Dropdown input : Unable to get dynamic options displayed from a search for bowesmana. 04-19-2021 06:13 AM
- Karma Re: Dropdown input : Unable to get dynamic options displayed from a search for ITWhisperer. 04-19-2021 06:13 AM
- Posted Re: Dropdown input : Unable to get dynamic options displayed from a search on Dashboards & Visualizations. 04-19-2021 01:05 AM
- Posted Re: Dropdown input : Unable to get dynamic options displayed from a search on Dashboards & Visualizations. 04-18-2021 04:01 PM
- Posted Dropdown input : Unable to get dynamic options displayed from a search on Dashboards & Visualizations. 04-18-2021 03:54 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 |
05-27-2021
08:10 AM
Hello, Did you find a solution ? i have the same issue, i dont know how to get in my splunk the xml part of the eventlog where the most useful information (file signature, full file path, etc...) are concerning AppLocker... Any help ? thanks, Florent
... View more
05-03-2021
01:02 PM
Thanks, it's perfect, seems so simple...when you master Regex ;-))
... View more
05-03-2021
10:57 AM
Hello, i searched few hours how to extract the RULE_NAME field from my Firewall logs without success. RULE_NAME is at the end of the log line, between (). It can contain any characters, space, "-" or "_". My problem comes from the fact that the RULE_NAME is sometimes finished by a 3 characters string i need to remove : "-00" Here is my actual REGEX, but it does't works for the simple "Internal Policy" RULE_NAME : .*\s+\((?P<RULE_NAME>.*)?(-00)\)$ Here are original logs lines i need to match : May 3 16:35:02 10.40.1.254 May 3 16:35:02 MYFIREWALL.mycorp.lan firewall: msg_id="3000-0148" Allow 0-SSL-VPN Firebox 73 udp 20 128 172.XXX.XXX.14 172.XXX.XXX.1 54127 53 src_user="fgi@mycorp.com" (DNS-01-proxy_user.out-00) May 3 17:39:56 10.40.1.254 May 3 17:39:56 MYFIREWALL.mycorp.lan firewall: msg_id="3000-0148" Allow VLAN1-Lan-Trusted Firebox 69 udp 20 128 172.21.20.26 172.21.20.254 52481 53 msg="DNS Forwarding" src_user="yal@mycorp.lan" record_type="A" question="sync.srv.stackadapt.com" (Internal Policy) May 3 16:35:02 10.40.1.254 May 3 16:35:02 MYFIREWALL.mycorp.lan firewall: msg_id="3000-0148" Allow 0-SSL-VPN Firebox 73 udp 20 128 172.XXX.XXX.14 172.XXX.XXX.1 54127 53 src_user="fgi@mycorp.com" (My super rule name with space DNS.out) Any idea on how to ignore the "-00" suffix when present ? thanks Florent
... View more
Labels
- Labels:
-
field extraction
-
regex
04-21-2021
06:17 AM
Here are my existing Field Extractions in the Splunk Settings / Fields / Field Extractions menu
... View more
04-21-2021
06:11 AM
Even if Splunk field extraction wizard seems to match my fields already...
... View more
04-21-2021
06:08 AM
Only "RULE_NAME" seems to be correctly extracted by default (see attachment), i don't know why...
... View more
04-21-2021
06:06 AM
Exemple of original log received : Apr 21 15:04:33 10.40.1.254 Apr 21 15:04:33 FRPARXXX0001.mydomain.local firewall: msg_id="3000-0151" Allow Firebox EXT-FIBER-XXX-100 udp 1XX.XXX.XXX.1 1.XXX.XXX.10 39010 53 dst_user="administrator@mydomain.local" duration="32" sent_bytes="68" rcvd_bytes="128" (Any From Firebox-00)
... View more
04-21-2021
06:03 AM
Hello, I'm trying to analyze WatchGuard firewall logs received by Splunk using syslog on udp 514 port. I was able to find a well working regex to use in a search using the following rex command in order to extract needed fields : * | rex field=_raw ".*\s(?<HOSTNAME>\S+)\s(?<PROCESS>\S+):\s.*\s(?<DISPOSITION>(Allow|Deny))\s(?<SRC_INT>\S+)\s(?<DST_INT>\S+)\s.*(?<PR>(icmp|igmp|tcp|udp)).*\s(?<SRC_IP>[[octet]](?:\.[[octet]]){3})\s(?<DST_IP>[[octet]](?:\.[[octet]]){3})\s(?<SRC_PORT>\d{1,5})\s(?<DST_PORT>\d{1,5})\s.*\((?P<RULE_NAME>.*)?(-00)\)$" | table HOSTNAME,PROCESS,DISPOSITION,SRC_INT,DST_INT,PR,SRC_IP,DST_IP,SRC_PORT,DST_PORT,RULE_NAME Result is a table as we can see in attachment. Now, in order to optimize all of that, i would like to be able to extract all these fields automatically without having the need to use a rex command in each search i run... i tryed using the Splunk Field extraction wizard, both using the automatic regex generator and by copy paste my search regex, but no success... i suppose i missed something somewhere ? thanks for your help Florent
... View more
Labels
- Labels:
-
field extraction
-
rex
04-19-2021
01:05 AM
Hello, thanks for your reply, it now displays the results of my query, but everything is seen as the same result/value, i think something is still missing somewhere. Any idea ? thanks, Florent
... View more
04-18-2021
04:01 PM
table displayed in my dashboard by default search tested to get RULE_NAME values
... View more
04-18-2021
03:54 PM
Hello, i' trying (without success...) to use a custom search to get the list of possible values of a field in a drill down input field of a Dashboard i'm working on. Here is the search i use to look at "exotic" Firewall logs and extract the possible RULE_NAME field values : index=my_index | rex field=_raw ".*\s(?<HOSTNAME>\S+)\s(?<PROCESS>\S+):\s.*\s(?<ACTION>(Allow|Deny))\s(?<SRC_INT>\S+)\s(?<DST_INT>\S+)\s.*(?<PR>(icmp|tcp|udp)).*\s(?<SRC_IP>[[octet]](?:\.[[octet]]){3})\s(?<DST_IP>[[octet]](?:\.[[octet]]){3})\s(?<SRC_PORT>\d{1,5})\s(?<DST_PORT>\d{1,5})\s.*\((?P<RULE_NAME>.*)?(-00)\)$" | stats values(RULE_NAME) | sort -n => it is displaying with success what i need if i run it into a simple searh window. here is what i put in my fields of the Dropdown menu : Input Type : Drop down Label : Rule Name Token : rule_name_token Created a STATIC OPTION named ANY with "*" as value (also set as default one) Field For Label : RULE_NAME Field For Value : RULE_NAME Problem : Nothing appears but ANY in my dropdown list (even if a can see briefly the "populating..." keywork displayed under this input dropdown menu during 1 second). Any help please ? i certainly missed something ? Thanks Florent
... View more
Labels
- Labels:
-
token
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
05-27-2021
12:43 PM
|
