Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About DanAlexander
DanAlexander
Communicator
Member since:
11-14-2021
09-03-2025
Community Statistics
| Posts | 120 |
| Solutions | 0 |
| Karma Given | 38 |
| Karma Received | 1 |
| Member Since | 11-14-2021 |
Activity Feed
- Posted SC4S vs “syslog servers tier” on Deployment Architecture. 09-03-2025 03:03 PM
- Posted Re: REGEX Requred on Getting Data In. 12-06-2024 04:56 AM
- Posted Re: REGEX Requred on Getting Data In. 12-06-2024 04:51 AM
- Got Karma for Re: REGEX Requred. 12-05-2024 08:41 AM
- Posted Re: REGEX Requred on Getting Data In. 12-05-2024 08:21 AM
- Posted REGEX Requred on Getting Data In. 12-05-2024 07:25 AM
- Posted Re: SEDCMD issues on Getting Data In. 11-30-2024 01:18 PM
- Posted SEDCMD issues on Getting Data In. 11-30-2024 03:09 AM
- Posted Re: SPLUNK Raw data reducing on Getting Data In. 11-27-2024 06:55 AM
- Karma Re: SPLUNK Raw data reducing for PickleRick. 11-27-2024 06:53 AM
- Karma Re: SPLUNK Raw data reducing for ITWhisperer. 11-27-2024 06:53 AM
- Posted Re: SPLUNK Raw data reducing on Getting Data In. 11-27-2024 06:52 AM
- Posted SPLUNK Raw data reducing on Getting Data In. 11-27-2024 04:46 AM
- Posted Re: trying to compare two sources and extract these ones that do not have SysMon on Splunk Search. 01-24-2024 02:12 PM
- Karma Re: trying to compare two sources and extract these ones that do not have SysMon for yuanliu. 01-24-2024 02:11 PM
- Posted Re: trying to compare two sources and extract these ones that do not have SysMon on Splunk Search. 01-23-2024 08:08 AM
- Posted Re: trying to compare two sources and extract these ones that do not have SysMon on Splunk Search. 01-22-2024 11:44 PM
- Posted Re: trying to compare two sources and extract these ones that do not have SysMon on Splunk Search. 01-22-2024 04:28 PM
- Posted Re: trying to compare two sources and extract these ones that do not have SysMon on Splunk Search. 01-22-2024 11:30 AM
- Posted Re: trying to compare two sources and extract these ones that do not have SysMon on Splunk Search. 01-22-2024 06:53 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
09-03-2025
03:03 PM
Why SC4S over a generic “syslog servers tier” 1. It is Splunk’s best practice today Splunk Validated Architectures calls SC4S the current best practice for syslog and says the UF or HF tailing files on a generic syslog server is widely used but no longer recommended in favour of SC4S. It also says direct TCP or UDP inputs to forwarders or indexers are not recommended for production. 2. Better distribution and performance HEC streaming directly to indexers produces more even data distribution than AutoLB on forwarders. Even distribution directly improves search performance and storage balancing. 3. Higher data quality from day one SC4S assigns correct sourcetypes and metadata for each technology so your Splunk add ons and CIM based content work consistently. The SVA also notes that SC4S reduces or removes the need to manage add ons on indexers. 4. Reliability features you can evidence Disk buffers protect against short downstream issues. Guidance gives a conservative sized figure of about sixty thousand events per second per server with disk buffering enabled, which is plenty for most estates. Without disk buffering the ceiling is much higher, but buffering is strongly recommended to avoid loss. 5. Operational simplicity and supportability SC4S is containerised, uses environment variables rather than artisanal config, has a published vendor catalogue, and is Splunk supported with active releases. It is a repeatable pattern your team can run, not a consultancy craft project. -------------------------------- What a generic syslog tier really means, and its drawbacks The old pattern is syslog servers writing to disk with a UF or HF tailing files into Splunk. Splunk documents this as still supported but explicitly no longer the best practice because it adds complexity, creates distribution challenges, increases change risk during agent restarts, and often leads to catch all sourcetypes that harm analytics. Sending raw syslog directly to forwarders or indexers is strongly discouraged for production due to loss during restarts and poor resilience. This is not my opinion, it is Splunk’s own. Would you agree to the above? Kind regards, Dan
... View more
12-06-2024
04:56 AM
Hi @richgalloway Thanks for your reply. Apologies, for the delay in replying but I had to test it. Please see the results here: https://regex101.com/r/7u6vAP/1 Now I need to figure out as I have asked @ITWhisperer how to make both work the | makeresult | rex mode=sed ........ and the props SEDCMD-reducing_4702=? to work strip the event thus reducing its weight in bytes Thank you
... View more
12-06-2024
04:51 AM
Hi @ITWhisperer, Please have a look at https://regex101.com/r/wRe1Ai/1 That works in 101regex web portal, but it does not work under the makeresults and SEDCMD in props.conf I had to remove the (?ms).*(?<ei>\ as SEDCMD s/ would not accept it neither <ei> bit. Can you please work out the exact SEDCMD-reducing_4702=s/........g bit that will be compatible with the SEDCMD? Also can you try that in Splunk e.g. getting the | makeresult SPL and see if the one SPL you provide would work/remove the unwanted parts from the event? Thank you.
... View more
12-05-2024
08:21 AM
1 Karma
Hi @richgalloway, thank you for your reply. Apologies, I should have been a bit more descriptive. I am trying to implement a SEDCMD in transforms.conf to reduce a single raw event's size, specifically by removing elements that will never be used while keeping the event intact for compliance purposes. My intent is not to extract fields but to ensure that only the necessary elements remain in the raw event. A single regex that can clean up the event by removing unused parts while leaving the required fields would be ideal. Thanks in advance for your guidance! Best regards, D Alex
... View more
12-05-2024
07:25 AM
Hello Community I need regex that can return extract the following fields only from event 4702: 1. <EventID></EventID> 2.<TimeCreated SystemTime='2024-12-05T14:59:44.9923272Z'/> 3.<Computer>Host</Computer> 4.<Data Name='TaskName'>\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask</Data> from the following raw event: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4702</EventID><Version>1</Version><Level>0</Level><Task>12804</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2024-12-05T14:59:44.9923272Z'/><EventRecordID>2470365</EventRecordID><Correlation ActivityID='{625186de-46eb-0000-1689-5162eb46db01}'/><Execution ProcessID='1408' ThreadID='1600'/><Channel>Security</Channel><Computer>Host</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-5-20</Data><Data Name='SubjectUserName'> Host $</Data><Data Name='SubjectDomainName'> Host </Data><Data Name='SubjectLogonId'>0x3e4</Data><Data Name='TaskName'>\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask</Data><Data Name='TaskContentNew'><?xml version="1.0" encoding="UTF-16"?> <Task version="1.6" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"> <RegistrationInfo> <Source>$(@%systemroot%\system32\sppc.dll,-200)</Source> <Author>$(@%systemroot%\system32\sppc.dll,-200)</Author> <Version>1.0</Version> <Description>$(@%systemroot%\system32\sppc.dll,-201)</Description> <URI>\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask</URI> <SecurityDescriptor>D:P(A;;FA;;;SY)(A;;FA;;;BA)(A;;FA;;;S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628)(A;;FR;;;S-1-5-87-2912274048-3994893941-1669128114-1310430903-1263774323)</SecurityDescriptor> </RegistrationInfo> <Triggers> <CalendarTrigger> <StartBoundary>2024-12-10T07:54:44Z</StartBoundary> <Enabled>true</Enabled> <ScheduleByDay> <DaysInterval>1</DaysInterval> </ScheduleByDay> </CalendarTrigger> </Triggers> <Principals> <Principal id="NetworkService"> <UserId>S-1-5-20</UserId> <RunLevel>LeastPrivilege</RunLevel> </Principal> </Principals> <Settings> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>false</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>true</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle> <DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession> <UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>PT0S</ExecutionTimeLimit> <Priority>7</Priority> <RestartOnFailure> <Interval>PT1M</Interval> <Count>3</Count> </RestartOnFailure> </Settings> <Actions Context="NetworkService"> <ComHandler> <ClassId>{B1AEBB5D-EAD9-4476-B375-9C3ED9F32AFC}</ClassId> <Data><![CDATA[timer]]></Data> </ComHandler> </Actions> </Task></Data><Data Name='ClientProcessStartKey'>26177172834095606</Data><Data Name='ClientProcessId'>2408</Data><Data Name='ParentProcessId'>1368</Data><Data Name='RpcCallClientLocality'>0</Data><Data Name='FQDN'>Host</Data></EventData></Event> I need to be able to validate via | makeresults rex mod=sed..... Thanks in advance
... View more
Labels
11-30-2024
01:18 PM
Hi @PickleRick, Thank you for the clarification and yes you are correct I am addressing the same issue. Here's the updated response that reflects the correct sequence of events: 1. Component Placement The Universal Forwarder (UF) is responsible only for collecting and forwarding data and does not perform parsing or transformations. SEDCMD settings in props.conf must therefore be applied on the indexers, where parsing occurs. Since there are no Heavy Forwarders in the architecture, the indexers were the correct location for these configurations. 2. Stanza Naming and Testing I confirm that the XmlWinEventLog: Security stanza was the correct choice for this configuration. Each SEDCMD was tested separately in this stanza: The first SEDCMD partially worked, applying some transformations but not entirely meeting the expected output. The second SEDCMD, tested independently, caused Event ID 4627 to stop being indexed altogether. These results confirm that XmlWinEventLog: Security is the appropriate naming convention, as the configuration was correctly recognised and applied. Additionally, I tested other stanzas, including WinEventLog: Security, and none worked as intended, further validating that XmlWinEventLog: Security is the correct stanza to use 3. Configuration Location For quick validation during testing, the configurations were initially placed in system/local. For production deployment, they have been moved into dedicated apps, ensuring better organisation, ease of updates, and compliance with Splunk’s best practices. 4. Regex Validation Both SEDCMD regex directives were validated using | makeresults with the raw event data. The partial success of the first and the indexing failure of the second highlight that the regex logic itself or environmental factors need adjustment for consistent application in production I hope this clears up any concerns and confirms the steps taken during testing and deployment. Let me know if there’s anything else you’d like me to elaborate to be able to resolve the issue Best regards, Dan
... View more
11-30-2024
03:09 AM
Hi community,
The following mod=sed regex works as expected, but when I attempted on the system/local/props.conf on the indexers it fails to trim as tested via | make results
| makeresults
| eval _raw="<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3bxxxxxx}'/><EventID>4627</EventID><Version>0</Version><Level>0</Level><Task>12554</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2024-11-27T11:27:45.6695363Z'/><EventRecordID>2177113</EventRecordID><Correlation ActivityID='{01491b93-40a4-0002-6926-4901a440db01}'/><Execution ProcessID='1196' ThreadID='1312'/><Channel>Security</Channel><Computer>Computer1</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-5-18</Data><Data Name='SubjectUserName'>CXXXXXX</Data><Data Name='SubjectDomainName'>CXXXXXXXX</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='TargetUserSid'>S-1-5-18</Data><Data Name='TargetUserName'>SYSTEM</Data><Data Name='TargetDomainName'>NT AUTHORITY</Data><Data Name='TargetLogonId'>0x3e7</Data><Data Name='LogonType'>5</Data><Data Name='EventIdx'>1</Data><Data Name='EventCountTotal'>1</Data><Data Name='GroupMembership'>
%{S-1-5-32-544}
%{S-1-1-0}
%{S-1-5-11}
%{S-1-16-16384}</Data></EventData></Event>"
| rex mode=sed "s/(?s).*<Event[^>]*>.*?<EventID>4627<\/EventID>.*?<TimeCreated SystemTime='([^']*)'.*?<Computer>([^<]*)<\/Computer>.*?<Data Name='SubjectUserName'>([^<]*)<\/Data>.*?<Data Name='SubjectDomainName'>([^<]*)<\/Data>.*?<Data Name='TargetUserName'>([^<]*)<\/Data>.*?<Data Name='TargetDomainName'>([^<]*)<\/Data>.*?<Data Name='LogonType'>([^<]*)<\/Data>.*?<\/Event>.*/EventID:4627 TimeCreated:\\1 Computer:\\2 SubjectUserName:\\3 SubjectDomainName:\\4 TargetUserName:\\5 TargetDomainName:\\6 LogonType:\\7/g"
----------------------------------
[XmlWinEventLog: Security]
SEDCMD-reduce_4627 = s/(?s).*<Event[^>]*>.*?<EventID>4627<\/EventID>.*?<TimeCreated SystemTime='([^']*)'.*?<Computer>([^<]*)<\/Computer>.*?<Data Name='SubjectUserName'>([^<]*)<\/Data>.*?<Data Name='SubjectDomainName'>([^<]*)<\/Data>.*?<Data Name='TargetUserName'>([^<]*)<\/Data>.*?<Data Name='TargetDomainName'>([^<]*)<\/Data>.*?<Data Name='LogonType'>([^<]*)<\/Data>.*?<\/Event>.*/EventID:4627 TimeCreated:\1 Computer:\2 SubjectUserName:\3 SubjectDomainName:\4 TargetUserName:\5 TargetDomainName:\6 LogonType:\7/g
Can anyone help me identify where the problem is, please?
Thank you.
... View more
11-27-2024
06:55 AM
Hi @ITWhisperer, Thank you for your feedback. The Regex works, but according to @PickleRick I will need to adjust my approach. Kind regards, Dan
... View more
11-27-2024
06:52 AM
Hi @PickleRick, Thank you for your valuable feedback. Index-Time Extractions: You're right that named capture groups might not be supported at index time. I'll modify my configurations to use numbered capture groups to ensure they function correctly. Rewriting _raw: I appreciate you highlighting the potential issues with rewriting _raw to contain key-value pairs. My intention was to reduce the size of the events by removing unnecessary data, but I see how this could lead to unintended side effects during indexing. I'll reconsider this approach. Structured Data Parsing: Your point about the risks of using regex to parse XML is well-taken. Given that XML fields may vary in order and presence, relying on regex could indeed cause problems. Utilizing Splunk's structured data parsing capabilities seems like a better solution. Next steps: To achieve my goal of reducing the indexed data volume for EventID=4627 events, I'd like to leverage Splunk's XML parsing features. Specifically, I'm thinking of using INDEXED_EXTRACTIONS = xml and configuring EXCLUDE rules in props.conf to omit the unwanted fields at index time. Example Configuration BEFORE: [reduce_event_raw] REGEX = (?ms)<Event[^>]*>.*?<System>.*?<EventID>4627<\/EventID>.*?<Computer>(?<Computer>[^<]*)<\/Computer>.*?<Data\s+Name='SubjectUserName'>(?<SubjectUserName>[^<]*)<\/Data>.*?<Data\s+Name='TargetUserName'>(?<TargetUserName>[^<]*)<\/Data>.*?<Data\s+Name='LogonType'>(?<LogonType>[^<]*)<\/Data> FORMAT = Computer::$1 SubjectUserName::$2 TargetUserName::$3 LogonType::$4 DEST_KEY = _raw Example Configuration AFTER: [XmlWinEventLog:Security] INDEXED_EXTRACTIONS = xml KV_MODE = none EXCLUDE = (?i)(SubjectUserSid|SubjectDomainName|SubjectLogonId|TargetUserSid|TargetDomainName|TargetLogonId|EventIdx|EventCountTotal|GroupMembership) Do you think this approach would effectively remove the unnecessary fields before indexing while maintaining reliable field extraction for the essential data? If you have any suggestions or best practices for this method, I'd greatly appreciate your guidance. Regards, Dan
... View more
11-27-2024
04:46 AM
Hi Community, Trying to build regex that can help me reduce the size of an EventCode in my case this is 4627 The idea is to use props and transforms: props.conf [XmlWinEventLog:Security] TRANSFORMS-reduce_raw = reduce_event_raw transforms.conf [reduce_event_raw] REGEX = <Event[^>]*>.*?<System>.*?<Provider\s+Name='(?<ProviderName>[^']*)'\s+Guid='(?<ProviderGuid>[^']*)'.*?<EventID>(?<EventID>\d+)</EventID>.*?<Version>(?<Version>\d+)</Version>.*?<Level>(?<Level>\d+)</Level>.*?<Task>(?<Task>\d+)</Task>.*?<Opcode>(?<Opcode>\d+)</Opcode>.*?<Keywords>(?<Keywords>[^<]*)</Keywords>.*?<TimeCreated\s+SystemTime='(?<SystemTime>[^']*)'.*?<EventRecordID>(?<EventRecordID>\d+)</EventRecordID>.*?<Correlation\s+ActivityID='(?<ActivityID>[^']*)'.*?<Execution\s+ProcessID='(?<ProcessID>\d+)'\s+ThreadID='(?<ThreadID>\d+)'.*?<Channel>(?<Channel>[^<]*)</Channel>.*?<Computer>(?<Computer>[^<]*)</Computer>.*?<EventData>.*?<Data\s+Name='SubjectUserSid'>(?<SubjectUserSid>[^<]*)</Data>.*?<Data\s+Name='SubjectUserName'>(?<SubjectUserName>[^<]*)</Data>.*?<Data\s+Name='SubjectDomainName'>(?<SubjectDomainName>[^<]*)</Data>.*?<Data\s+Name='SubjectLogonId'>(?<SubjectLogonId>[^<]*)</Data>.*?<Data\s+Name='TargetUserSid'>(?<TargetUserSid>[^<]*)</Data>.*?<Data\s+Name='TargetUserName'>(?<TargetUserName>[^<]*)</Data>.*?<Data\s+Name='TargetDomainName'>(?<TargetDomainName>[^<]*)</Data>.*?<Data\s+Name='TargetLogonId'>(?<TargetLogonId>[^<]*)</Data>.*?<Data\s+Name='LogonType'>(?<LogonType>[^<]*)</Data>.*?<Data\s+Name='EventIdx'>(?<EventIdx>[^<]*)</Data>.*?<Data\s+Name='EventCountTotal'>(?<EventCountTotal>[^<]*)</Data>.*?<Data\s+Name='GroupMembership'>(?<GroupMembership>.*?)</Data>.*?</EventData>.*?</Event> FORMAT = ProviderName::$1 ProviderGuid::$2 EventID::$3 Version::$4 Level::$5 Task::$6 Opcode::$7 Keywords::$8 SystemTime::$9 EventRecordID::$10 ActivityID::$11 ProcessID::$12 ThreadID::$13 Channel::$14 Computer::$15 SubjectUserSid::$16 SubjectUserName::$17 SubjectDomainName::$18 SubjectLogonId::$19 TargetUserSid::$20 TargetUserName::$21 TargetDomainName::$22 TargetLogonId::$23 LogonType::$24 EventIdx::$25 EventCountTotal::$26 GroupMembership::$27 DEST_KEY = _raw Then I will be able to pick which bits from the raw data to be indexed It looks like the regex would not pick up on fields correctly There is the raw event: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3bxxxxxx}'/><EventID>4627</EventID><Version>0</Version><Level>0</Level><Task>12554</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2024-11-27T11:27:45.6695363Z'/><EventRecordID>2177113</EventRecordID><Correlation ActivityID='{01491b93-40a4-0002-6926-4901a440db01}'/><Execution ProcessID='1196' ThreadID='1312'/><Channel>Security</Channel><Computer>Computer1</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-5-18</Data><Data Name='SubjectUserName'>CXXXXXX</Data><Data Name='SubjectDomainName'>CXXXXXXXX</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='TargetUserSid'>S-1-5-18</Data><Data Name='TargetUserName'>SYSTEM</Data><Data Name='TargetDomainName'>NT AUTHORITY</Data><Data Name='TargetLogonId'>0x3e7</Data><Data Name='LogonType'>5</Data><Data Name='EventIdx'>1</Data><Data Name='EventCountTotal'>1</Data><Data Name='GroupMembership'> %{S-1-5-32-544} %{S-1-1-0} %{S-1-5-11} %{S-1-16-16384}</Data></EventData></Event Any help t-shoot the problem will be highly valued. Thank you in advance!
... View more
Labels
01-24-2024
02:12 PM
Thanks very much for the solution @yuanliu Much appreciated!
... View more
01-23-2024
08:08 AM
Frustration is the least emotional state I wanted to achieve here. Apologies! I still believe it was not me confusing people, I just wanted help with simply being able to compare two datasets and printing out the only hosts seen in one of the data sources. if that sounds confusing then again apologies. I have been a member for some time now and always admired all the help given here. I have tested all solutions provided so far, and seen no results (it might be my fault). The only solution that provided me with the results I want was the following for all to use. I agree (do not have great knowledge around set command as of now) set might not be as efficient as other commands bet here is what worked for me. | set diff [| tstats count where source_1 by host | table host] [| tstats count where source_2 by host | table host] That SPL provides a list of all of the hosts not seen in source_2 At the end of the day it is important for people to get some working examples. They are testing and either working or not working. Silence is gold time to time and no one wants frustration waves. I was not meant to do any harm. Been in the industry for a long time enough to realize we all different and have different emotions. Please, by all means if you can create something that would prove me wrong or anything better than set command for the community to use. Thank you!
... View more
01-22-2024
11:44 PM
Thanks for the reply @yuanliu Agree to disagree. If you look at the very beginning of my post I asked: "I have a challenge finding and isolating the unique hosts out of two sources" I think this is clear and SysMon and DHCP were just an example. Nothing concrete. During the communication I have reiterated this statement. Apologies if misunderstood. Thanks all for your help.
... View more
01-22-2024
04:28 PM
Thanks for your reply @yuanliu Unfortunately, your search did not provide the results I wanted. After executing the separate searches and abstract manually the result differs from the resultant of your search. Please do try it out. After lots of try/error I finally found the one that does the trick. It is by using 'set diff' command. I will provide my solution tomorrow for everyone to use. Regards, Dan
... View more
01-22-2024
11:30 AM
Hi, thanks for the reply. To simplify it let us say we have two lists of items of same type it could be anything. How can we compare both lists and list only the subset of items not common to both lists. Regards, D
... View more
01-22-2024
06:53 AM
Thanks for the reply @PickleRick Sure, there will be a third column containing only assets that are not seen in both sources simultaneously and in addition at the end of the list there should be Totals of these assets. Would you be able to develop a sample solution for this, please? Thank you.
... View more
- Tags:
- Thanks for the reply
01-20-2024
05:06 PM
@PickleRick Thanks for the reply. Please, ignore both searches. What I want to pull out the total unique assets in the DHCP source. I then want to be able to compare to the totals of unique assets in the SysMon source and output these assets that do not have SysMon present. Thanks in advance.
... View more
01-20-2024
12:38 PM
Hello Community, I have a challenge finding and isolating the unique hosts out of two sources (DHCL and SysMon in my case) I did try the following but it did work as expected: EXAMPLE 1: index=dhcp_source_index | stats count by host | eval source="dhcp" | append [ search index=sysmon_index | stats count by host | eval source="sysmon" ] | stats values(source) as sources by host | where mvcount(sources)=1 AND sources="dhcp" EXAMPLE 2: index=my_index | dedup host, source | stats list(source) as sources by host | append [search index=my_index | stats latest(_time) as last_seen by host] | eventstats max(last_seen) as last_seen by host | where mvcount(sources)=1 | table host, last_seen The numbers from the manual findings and the above SPLs differ Thanks in advance
... View more
01-15-2024
03:33 AM
Hello Community, We have a challenge with our SysMon Instance. While testing compatibilities we noticed that after SysMon gets upgraded it no longer talks to the SIEM for some weird reason. Has anyone experienced anything like this before? Regards, Dan
... View more
11-26-2023
01:06 PM
Hi, thanks for the reply @richgalloway All you said make sense. However, there are few scenarios where this statements might be out of order. Let me justify what I think. Splunk SE accessible from outside? Do not think any on prem instance is designed to be remote accessable. Anything can be reached vIa a switch (IP + port). All can of course be configured to restrict Internet to Intranet communication. Not even considering insiders and how all even read only users handle queries they send to the SE switch URI etc. I am sure the following will change our perspective of what this may cause if ignored as low severity: https://blog.hrncirik.net/cve-2023-46214-analysis Attackers, attack as service plus AI capabilities makes it even harder for defenders to defend. We simply do not know what we do not know in most instances before they get announced as Zero days. Thanks
... View more
11-25-2023
03:04 PM
Hi All, Can someone help me understand which .conf file is responsible to control the connectivity to/from Internet. Wanted to make sure that the so called pure ON Prem Splunk Enterprise solution is unreachable from Internet and most importantly not sending data outside e.g. 1.5 DTI? Thanks in advance.
... View more
11-25-2023
02:54 PM
Hello community, Can anyone please help me understand if the newest vulnerability can exploit a pure on prem Splunk Enterprise clustered solution? Can an arbitrary code be pushed remotely via any means? Splunk documentation and advisory are not very clear and just saying SE but not mentioning anything about 1.5 DTI and non publicity connected SE instance. Thank you.
... View more
Labels
- Labels:
-
authentication
-
login
-
permissions
-
SAML
-
SSL
-
SSO
10-31-2023
04:56 AM
Hello Comunity I am trying to identify the following. What would be the best data source/s on Win Systems to gain visibility over the Services (which should be different from Processes) and their DLLs, executables, hashes, and paths? The Endpoint Data Model requires fields related to the above: https://docs.splunk.com/Documentation/CIM/5.2.0/User/Endpoint Any help will be much appreciated! Thank you.
... View more
Labels
10-25-2023
06:19 AM
Hello, community, I wanted to share a challenge that I have mapping fields to Data Models. The issue is that I have identified/created fields that are required for a Deta Set, but they are not auto-populating e.g. cannot be seen by the Data Model/Set. Any suggestions of where I might be getting wrong? Regards, Dan
... View more
Labels
10-24-2023
02:02 AM
Hi All,
I am having an issue creating an alias simply going from DestinationPort to dest_port for SysMon EventID 3
I have tested:
index=my_index source=Sysmon
| eval destinationPort=dest_port
I have seen in Splunk TA Sysmon that there is FIELDALIAS-dest_port=DestinationPort AS dest_port
but still cannot convert DestinationPort to dest_port at Search time.
Any suggestions, please? There are no other apps contradicting the precedence.
Thank you!
... View more
Labels
- Labels:
-
alias
-
field extraction
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
09-03-2025
03:58 PM
|
