About paras

paras · ‎07-24-2023

In transforms.conf [bv_windows_mapping] filename =bv_windows_mapping.csv max_matches = 1 min_matches = 1 In props.conf LOOKUP-bv_windows_mapping =bv_windows_mapping EventCode OUTPUTNEW action, category, attr

paras · ‎07-21-2023

I have a lookup that is mapping action, category, attributes and more fields for windows event codes. However for each event code not all the column have values. EventCode, action, category, attr, ..... 1,allow,,xyx,,, 2,fail,firewall,,.... When I add this to the transforms and props.conf and deploy it out to splunk cloud it is creating fields even when it is empty for that match. Is there a way to make sure that the null values are not getting outputted using props and transforms.conf ?

paras · ‎10-31-2022

I need to be able to split multiple fields that have a delimiter of "|#|". The field name will differ depending on the log. Is there a way to do a mass split using props.conf or transforms.conf. Is there a way to do this without having to write a eval statement for every single field that may come? EX: log:: time=XXXX,src_ip="123.123.123.123|#|234.234.234.234|#|",user="foo1|#|foo2|#|foo3"...... I want to split src_ip, and user.

paras · ‎08-16-2022

Hello, I wanted to know if there is a definitive rule on how to structure a props.conf. I read the docs and it does not say anything about a preference of where to call what operation. I understand the search time operation order form Extract -> Report -> Eval -> FieldAlias -> Lookup. My question is within a stanz does all the extract have to happen at the top, then the Reports, then the Eval Ex: FIELDALIAS-src_ip = srcip ASNEW src_ip FIELDALIAS-dest_ip = dstip ASNEW dest_ip FIELDALIAS-src_port = sport ASNEW src_port FIELDALIAS-dest_port = dport ASNEW dest_port FIELDALIAS-authentication_protocol = protocol ASNEW authentication_protocol FIELDALIAS-src_ip = srcip ASNEW src_ip FIELDALIAS-dest_ip = dstip ASNEW dest_ip FIELDALIAS-src_port = sport ASNEW src_port FIELDALIAS-dest_port = dport ASNEW dest_port

paras · ‎06-02-2022

I have this lookup that has a list of searches I want to run. I want to run a search that can run output the "magic" values search results. The expected search. This is the search I am using, " | inputlookup test.csv | map search=$magic$ " When I run this this is the error I am getting: " Unable to run query '"search index::client* sourcetype::ActiveDirectory | fields admonEventType memberOf sAMAccountName sAMAccountType | head 100 | fieldsummary maxvals=2 | where count > 0 | table field values"'. "

paras · ‎08-12-2021

We use cribl for field extraction. `Action` is a field that is being parsed from cribl and it should be a indexed field in splunk. Did a initial search with the query "index=client* sourcetype=unix_auth" This returns 6 failure in the last 4 hours. When I use the search "index=client* sourcetype=unix_auth action=fail*". It returns all 6 failed events. when I then change the search to "index=client* sourcetype=unix_auth action=failure" It does not return any events. But when I use the " :: " in the search "index=client* sourcetype=unix_auth action::failure" It returns all the events. Sample event: