×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
valleyman
Loves-to-Learn Lots
Member since: ‎05-14-2024
‎05-15-2024
Community Statistics
Posts 3
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎05-14-2024
Activity Feed
View All

Re: Problem in parsing Powershell commands

by in Splunk Search
‎05-15-2024 10:01 AM
‎05-15-2024 10:01 AM
Hello, I think I'm not that far, unfortunately I still cannot figure out how to extract field PS_command from the inputlookup, and passing it into the main search, and eventually how to map it to the Message from the index. Could you please try to built a little more on the answers? Thanks again! ... View more

Re: Problem in parsing Powershell commands

by in Splunk Search
‎05-15-2024 03:26 AM
‎05-15-2024 03:26 AM
Hello! Thanks for the extensive and very useful feedback! I have had chance to look at my search again, and with the correction suggested, I am now able to highlight correctly the strings I am interested in the Message field of the index, as the following example I am perhaps missing one final step, that is to add the search field from the following sub-search in the final table, as I understood the format command should add to my query. [ | inputlookup PS-monitored.csv | eval search=PS_command | fields search | format ] I tried to look for a newly created field "search", or any new created ones, but couldn't find anything...am I missing something obvious? Thanks again! ... View more

Problem in parsing Powershell commands

by in Splunk Search
‎05-14-2024 07:42 AM
‎05-14-2024 07:42 AM
Hello Community! I am trying to set up a search to monitor Powershell commands from Windows hosts; specifically, I am starting from: an index with the full messages related to PS commands, contained in a field named "Message" (related, for example, to event codes 4101, 800, etc...) a .csv file, with the list of commands I would like to monitored, contained in a column named "PS_command". From these premises, I have already constructed a search that leverages on inputlookup to search the strings from the PS-monitored.csv file to the index field Message, outputting the result in a table, as the following (adding also details from the index: _time, host and EventCode).   index="wineventlog" | search ( [|inputlookup PS-monitored.csv | eval Message= "*" + PS_command + "*" | fields Message] ) | table _time host EventCode Message    This, despite not being the most elegant solution (with the addition of wildcard characters *), is currently working, however I would also like to include the original search field (PS_command column from PS-monitored.csv) to the final table. I tried to experiment a bit with lookup command, and with join options, without success; does anyone have some suggestions? Finally, I would like avoid using heavy commands, such as join, if at all possible. Thanks in advance! ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎05-15-2024 10:31 AM