Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About gargantua
gargantua
Path Finder
Member since:
02-06-2023
06-17-2025
Community Statistics
| Posts | 14 |
| Solutions | 1 |
| Karma Given | 1 |
| Karma Received | 2 |
| Member Since | 02-06-2023 |
Activity Feed
- Posted Re: SPL challenge ! Fusionning a multi |eval expression into one line ? on Getting Data In. 06-17-2025 01:10 AM
- Karma Re: SPL challenge ! Fusionning a multi |eval expression into one line ? for PickleRick. 06-17-2025 01:09 AM
- Posted SPL challenge ! Fusionning a multi |eval expression into one line ? on Getting Data In. 06-16-2025 06:10 AM
- Posted Re: Hide specific notables from IR (Incident review) in ES on Splunk Enterprise Security. 04-18-2025 10:57 AM
- Got Karma for Re: How to parse this kind of log. 03-28-2025 05:56 AM
- Posted Re: How to extract value with dynamic key name on Splunk Search. 03-24-2025 01:04 AM
- Posted Re: How to extract value with dynamic key name on Splunk Search. 03-22-2025 04:20 PM
- Posted Re: How to extract value with dynamic key name on Splunk Search. 03-22-2025 04:13 PM
- Posted Re: How to parse this kind of log on Getting Data In. 03-21-2025 08:38 AM
- Got Karma for Re: Enterprise security app. 03-21-2025 07:45 AM
- Posted Re: Enterprise security app on Splunk Enterprise Security. 03-21-2025 07:37 AM
- Posted Re: rsyslog + apache access logs : How to parse correctly ? on Getting Data In. 03-21-2024 06:05 AM
- Posted rsyslog + apache access logs : How to parse correctly ? on Getting Data In. 03-21-2024 02:51 AM
- Posted Re: Workflow actions and variables on Splunk Search. 08-16-2023 02:28 AM
- Posted Workflow actions and variables on Splunk Search. 08-16-2023 02:00 AM
- Tagged Workflow actions and variables on Splunk Search. 08-16-2023 02:00 AM
- Tagged Workflow actions and variables on Splunk Search. 08-16-2023 02:00 AM
- Posted Splunk Enterprise Security : Variable substitution does not work for all fields? on Splunk Enterprise Security. 04-28-2023 02:30 AM
- Posted Where to install apps on the the client side ? on All Apps and Add-ons. 02-16-2023 12:18 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
06-17-2025
01:10 AM
Thanks a million.
... View more
06-16-2025
06:10 AM
Hi, I'm onboarding some new data and I'm working on the fields extraction. Data is some proper JSON related to emails. I'm having some hard time with the "attachments" field which I'm trying to make CIM compliant. This attachment field is multivalue (it's a JSON array) and contains : - The string "attachments" in the 0 position (the first position) - The file name in every impair position (1, 3 , 5, etc.) - The file hash in every pair position So far, I've done it in SPL but I cant find a way to do that in a props.conf (because in props.conf, you can't do a multiline |eval : Every eval is treated in a parrallel way) or in a transforms.conf. Here is what I've done in SPL : | makeresults
| eval attachments = mvappend("attachments", "doc1.pdf", "abc123", "doc2.pdf", "def456", "doc3.bla", "ghx789")
``` To get rid of the string "attachments" ```
| eval attachments = mvindex(attachments, 1, mvcount(attachments)-1)
```To create an index```
| eval index_attachments=mvrange(0,mvcount(attachments),1)
```To write down in file_type is the value is file_name or file_hash :```
| eval modulo = mvmap(index_attachments, 'index_attachments'%2)
| eval file_type = mvmap(modulo, if(modulo=0,"file_name", "file_hash"))
``` To zip all that with a "::::SPLIT::::" ```
| eval file_pair = mvzip('file_type', attachments, "::::SPLIT::::")
``` To then create file_name and file_hash```
| eval file_name = mvmap(file_pair, if(match(file_pair, "file_name::::SPLIT::::.*"), 'file_pair', null() ))
| eval file_hash = mvmap(file_pair, if(match(file_pair, "file_hash::::SPLIT::::.*"), 'file_pair', null() ))
| eval file_name = mvmap(file_name, replace(file_name, "file_name::::SPLIT::::", ""))
| eval file_hash = mvmap(file_hash, replace(file_hash, "file_hash::::SPLIT::::", ""))
| fields - attachments file_pair file_type index_attachments modulo attachments I'd be very glad to find a solution 🙂 Thanks for your kind help !
... View more
Labels
- Labels:
-
field extraction
04-18-2025
10:57 AM
I've done this little app in order to adress this specific use case : https://github.com/kilanmundera/Custom-Annotations-Framework-for-Splunk-Enterprise-Security
... View more
03-24-2025
01:04 AM
Or even that : | makeresults | eval json="{\"TIMESTAMP\": 1742677200,\"SYSINFO\": \"{\\\"number_of_notconnect_interfaces\\\":0,\\\"hostname\\\":\\\"test\\\",\\\"number_of_transceivers\\\":{\\\"10G-LR\\\":10,\\\"100G-CWDM4\\\":20},\\\"number_of_bfd_peers\\\":10,\\\"number_of_bgp_peers\\\":10,\\\"number_of_disabled_interfaces\\\":10,\\\"number_of_subinterfaces\\\":{\\\"Ethernet1\\\":10,\\\"Ethernet2\\\":20},\\\"number_of_up_interfaces\\\":1}\"}"
|fromjson json
|fromjson SYSINFO
|fields number_of_subinterfaces
|fromjson number_of_subinterfaces
|fields - number_of_subinterfaces _time
|transpose header_field=column
|rename "row 1" as value, column as keys 🙂
... View more
03-22-2025
04:20 PM
Is this doing what you're trying to do ? | makeresults | eval json="{\"TIMESTAMP\": 1742677200,\"SYSINFO\": \"{\\\"number_of_notconnect_interfaces\\\":0,\\\"hostname\\\":\\\"test\\\",\\\"number_of_transceivers\\\":{\\\"10G-LR\\\":10,\\\"100G-CWDM4\\\":20},\\\"number_of_bfd_peers\\\":10,\\\"number_of_bgp_peers\\\":10,\\\"number_of_disabled_interfaces\\\":10,\\\"number_of_subinterfaces\\\":{\\\"Ethernet1\\\":10,\\\"Ethernet2\\\":20},\\\"number_of_up_interfaces\\\":1}\"}"
|fromjson json
|fromjson SYSINFO
|fields number_of_subinterfaces
|fromjson number_of_subinterfaces
|fields - number_of_subinterfaces _time Results : Ethernet1 10 Ethernet2 20
... View more
03-21-2025
08:38 AM
1 Karma
Hi, One option would be to : 1 - Get rid of whatever data is being before the valid JSON For the example you posted, we can ask Splunk to delete this : Mar 18 02:32:19 MachineName python3[948]: DEBUG:root:... Dispatching: I'd use this in a props.conf : SEDCMD-removeheader=s/.*DEBUG:root:\.\.\. Dispatching: //g 2- Replace simple quotes with double quotes. Still in the props.conf : SEDCMD-replace_simple_quotes=s/'/"/gs 3- Activate the kv_mode=auto in order to extract the JSON fields: KV_MODE=json The props.conf could look like this : [custom_sourcetype]
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)
NO_BINARY_CHECK=true
CHARSET=UTF-8
category=Custom
pulldown_type=true
SEDCMD-removeheader=s/.*DEBUG:root:\.\.\. Dispatching: //g
SEDCMD-replace_simple_quotes=s/'/"/g
KV_MODE=json It works in my lab. Best, Ch.
... View more
03-21-2025
07:37 AM
1 Karma
Hi there, Splunk Enterprise Security (ES) is a sort of extra layer to Splunk Enterprise, and it brings you more integrated possibilities : More possibilities when it come to create Alerts (Called Notable in ES. [this name must have changed in version 8 though]) An Alert Managment system (Incident Review) which allows a team to watch alerts and investigate them IOC detection and managment system Tons of useful dashboards All of that heavely relies on, Your data : If the data you're already ingesting into Splunk Enterprise is CIM compliant Documentation : https://docs.splunk.com/Documentation/CIM/6.0.2/User/Overview How well this data is mapped to Splunk Datamodels Everything is well explained in this page : https://docs.splunk.com/Documentation/ES/8.0.2/Install/DataSourcePlanning Identities (login accounts) and Assets (hosts) : You must give to Splunk ES a list of : identities of account names of the users of your organization hostnames / IP adresses of the assets of your organization This process is explained on this page : https://docs.splunk.com/Documentation/ES/8.0.2/Admin/VerifyAssetIdentityData Configuring ES to its full potential can take some time and energy but it worth it. Best, Ch.
... View more
03-21-2024
06:05 AM
You are correct in saying that Splunk no longer automatically extracts the fields with a new custom source type > Do you know if there is a way to activate this option ?
... View more
03-21-2024
02:51 AM
Dear splunkers, I need to ingest some apaches log files. Those log files are first sent to a syslog server by rsyslog rsyslog adds to each line of the log file its owns information. A UF is installed on this syslog server and can monitor the log file and send them to the indexers Each line of the log file looks like this : 2024-02-16T00:00:00.129824+01:00 website-webserver /var/log/apache2/website/access.log 10.0.0.1 - - [16/Feb/2024:00:00:00 +0100] "GET /" 200 10701 "-" "-" 228 As you can see, the first part of the log, until "/access.log " had been added by rsyslog, so this is something I want Splunk to filter out / delete. So far, I'm able to monitor the file and filter out the rsyslog layer of the events with a parameter, and I added TIME_PREFIX parameter, then Splunk automatically detects the timestamp. Like this : SEDCMD-1=s/^.*\.log //g
TIME_PREFIX=- - \[ I created a custom sourcetype accordingly. But the issue is that, the field extraction is not working properly. Almost no field beside the _time related fileds is being extracted. I guess it's because I'm using a custom sourcetype, so Splunk is not extracting the fields automaticaly as it should; But I'm not really sure... I'm a bit lost 😞 Thanks a lot for your kind help 🙂
... View more
Labels
- Labels:
-
data
08-16-2023
02:28 AM
I added the workflow action within the web UI of a search head. We're using Splunk Enterprise and Enterprise Security. All of our Splunk instances are on version 9 We ingest all type of events : *nix, windows sysmon, web server access logs, firewalls, etc. The workflow action is now available, but I still don't know what variable to use in my web request.
... View more
08-16-2023
02:00 AM
Hi, We have a internal wiki with tons of useful informations about hosts and IPs. I'm trying to set up a workflow that triggers a search of the value -IP or Hostname- on this internal wiki. First issue : Since this workflow action should work with a variety of fields (src_ip, dest_ip, host, src, dest, etc.) : What variable shall I use in order to return in the workflow action the selected value ? Is there a sort of global variable like $the_selected_value$ no matter it's an IP address, a hostname or whatsoever ? Second issue : I selected my workflow to be applied on any field with a * but the workflow action is just not available anywhere. Thanks in advance for your kind help on this matter ! Best
... View more
04-28-2023
02:30 AM
Hi all,
I created a correlation search in SPlunk ES and added a Notable Event in the Adaptative Response Actions.
I'd like to include in the notable some information from the correlation search results, such as : orig_host, ip, and some other custom fields.
I went to Incident Review Settings in order to add my custome fields in the Event Attributes
I customized my correlation search query in order to name the returned fieds that are named according to the Event Attributes that already exist + the custom ones that I just created
In the correlation search, into the "Notable" sub-menu, I added the fields I'd like to enrich my Notable with to Identity Extraction and Asset Extraction
I then added a fiew variables in the title of the created Notable. Something like "the user $custom_field_1$ just connected to the account of the user $custom_field_2$, from the computer $orig_host$ that belongs to $orig_host_owner$.
custom_field_1 and $custom_field_2 variables work and return the right values.
orig_host, orig_host_owner don't and return the strings $orig_host$ and $orig_host_owner$.
I'm a bit confused.
Does anybody have had this before ?
Thanks for your kind help !
... View more
Labels
02-16-2023
12:18 PM
Dear Splunkers, I just set up a little testing environment, with Splunk Enterprise running smoothly on a Debian server and a Universal Forwarder running on a Windows 10 machine. My goal is to send some sysmon logs into Splunk. I first started to follow this page from the official Splunk documentation : https://docs.splunk.com/Documentation/AddOns/released/MSSysmon/Install But unfortunately, this page does not explain how to install the client side of the app (is there a client side anyway ? Well nothing is explained about it). What I did is that I set my inputs.conf file in etc/system/local on the client machine. It partially worked, as the data is being sent to the Splunk server, but none of the fancy dashboards and graphs that the Sysmon for Splunk add-on or app is supposed to display is available. I know I must have missed something on the client part, but I also have to mention here that the kafkaesque intricated tons-of-links Splunk documentation does not help me much, to say the least. It would be extremely nice if someone could turn on the light because so far, my Splunk journey is being black as midnight in a moonless night. Thanks a lot 🙂 Gargantua
... View more
Labels
- Labels:
-
configuration
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-17-2025
01:09 AM
|
