Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About ghostdog920
ghostdog920
Path Finder
Member since:
04-05-2017
01-28-2022
Community Statistics
| Posts | 35 |
| Solutions | 3 |
| Karma Given | 2 |
| Karma Received | 0 |
| Member Since | 04-05-2017 |
Activity Feed
- Posted Palo/Splunk Parsing Issue - Field values are Truncating on Splunk Search. 07-01-2021 12:13 PM
- Posted Palo/Splunk Parsing Issue - Field values are Truncating on Splunk Search. 06-15-2021 12:12 PM
- Posted Re: Help With Event Cleanup - Remove "-" on Splunk Search. 08-07-2020 07:25 AM
- Karma Re: Help With Event Cleanup - Remove "-" for thambisetty. 08-07-2020 07:25 AM
- Posted Re: Help With Event Cleanup - Remove "-" on Splunk Search. 08-07-2020 07:15 AM
- Karma Re: Help With Event Cleanup - Remove "-" for thambisetty. 08-07-2020 07:15 AM
- Posted Help With Event Cleanup - Remove "-" on Splunk Search. 08-07-2020 07:04 AM
- Posted Re: Multi Valued Field Help on Splunk Search. 05-07-2019 04:44 AM
- Posted Re: Multi Valued Field Help on Splunk Search. 05-06-2019 05:57 AM
- Posted Re: Multi Valued Field Help on Splunk Search. 05-02-2019 12:22 PM
- Posted Re: Multi Valued Field Help on Splunk Search. 05-02-2019 12:22 PM
- Posted Re: Multi Valued Field Help on Splunk Search. 05-02-2019 12:22 PM
- Posted Re: Multi Valued Field Help on Splunk Search. 05-02-2019 10:27 AM
- Posted Re: Multi Valued Field Help on Splunk Search. 05-02-2019 10:26 AM
- Posted Re: Multi Valued Field Help on Splunk Search. 05-02-2019 10:10 AM
- Posted Re: Multi Valued Field Help on Splunk Search. 05-02-2019 09:55 AM
- Posted Re: Multi Valued Field Help on Splunk Search. 05-02-2019 09:53 AM
- Posted Multi Valued Field Help on Splunk Search. 05-02-2019 08:17 AM
- Tagged Multi Valued Field Help on Splunk Search. 05-02-2019 08:17 AM
- Tagged Multi Valued Field Help on Splunk Search. 05-02-2019 08:17 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
07-01-2021
12:13 PM
Finally got this all straightened out. Needed to use cef utils for splunk along with a separate syslog destination from my panorama with custom cef events setup for the config section to get what i wanted.
... View more
06-15-2021
12:12 PM
Having a strange issue and not sure what my culprit/problem is. Have a panorama to syslogng to Heavy Forwarder to Indexer with a single search head. I see the parsing (I think) where fields are found and values= but they are truncating. Specifically, my raw event has this in it: before_change_detail= " Emergency by IP { static [ "" Jim CentOS "" ]; } " after_change_detail=Emergency by IP { } but when i look at the field values, this is what i get: Any ideas on why my field values are getting cut short?
... View more
Labels
- Labels:
-
field extraction
08-07-2020
07:15 AM
So the mvindex basically says for that field, choose in this case, the 2nd value for the field as the only value for that field?
... View more
08-07-2020
07:04 AM
I am having a problem with what i believe is writing a regex to clean up some events before i report on them in dashboard. I am pulling specific security events from windows and each event should return a username and a domain. I am getting those results, but with each, it is also returning a second data item "-". That is throwing things off/making it look ugly and i havent had much luck ripping it out. Hoping someone can assist and possibly explain what the solution is doing? I tried to do an eval replace for the field where "-" is replaced with "" but then none of my events showed up so clearly that was wrong. A sample event looks like this to help clarify what i am getting: I basically need to drop the first line from both the "Account" and also "Account_Domain" so that i would only get service. and PF as values. As always, help is greatly appreciated.
... View more
05-07-2019
04:44 AM
Got this working (or at least not erroring) after I appended the index|rename as needed. I get a raw event dump and the regex fields still aren't listed in the "interesting fields" section as I would expect, but perhaps they wouldn't be?
... View more
05-06-2019
05:57 AM
Thanks everyone for the responses. I was out of the office Friday and also today so will get back to playing with this tomorrow and let you know the status.
... View more
05-02-2019
12:22 PM
So sorry, thought i responded back. I tried this:
index=nessus| makeresults |eval plug_out="Subject Name: Country: US State/Province: Virginia Locality: Glen Allen" | rex field=plug_out "Country:\s+(?.?)\s+State\/Province:\s+(?.?)\s+Locality:\s+(?.*)$"
And i got this output:
Error in 'rex' command: Encountered the following error while compiling the regex 'Country:\s+(?.?)\s+State\/Province:\s+(?.?)\s+Locality:\s+(?.*)$': Regex: unrecognized character after (? or (?-
The search job has failed due to an error. You may be able view the job in the Job Inspector.
Thoughts on where i messed up?
... View more
05-02-2019
12:22 PM
Tried this:
index=nessus| makeresults |eval plug_out="Subject Name: Country: US State/Province: Virginia Locality: Glen Allen" | rex field=plug_out "Country:\s+(?.?)\s+State\/Province:\s+(?.?)\s+Locality:\s+(?.*)$"
And got this:
Error in 'rex' command: Encountered the following error while compiling the regex 'Country:\s+(?.?)\s+State\/Province:\s+(?.?)\s+Locality:\s+(?.*)$': Regex: unrecognized character after (? or (?-
The search job has failed due to an error. You may be able view the job in the Job Inspector.
... View more
05-02-2019
12:22 PM
Still no go. Thanks for all your help with this though as i wouldn't have gotten this far without you.
... View more
05-02-2019
10:26 AM
05-02-2019
10:10 AM
Ok, unfortunately I do not see those "fields" if you will on the left side nav bar, nor does the table output anything other than the headers with no data.
... View more
05-02-2019
09:55 AM
WIth this expression, and excuse my ignorance, the rex creates extractions that go where? Or maybe a better way to ask is if i do that and don't see fields created for the attributes, how do i reference those rex values for a table (as an example)?
... View more
05-02-2019
09:53 AM
Can definitely elaborate. Basically we are using Nessus to scan the environment for SSL certificates with the idea of creating a report to identify certs that will be expiring. So the output from nessus is say 10 columns (what i am calling fields) comma delimited that Splunk picks up on. Unfortunately one of those columns houses the elements that individually house about 10 attributes i really want to pull out as fields. I.E. Subject Name:, Common Name:, Country:, State/province:, Issue Date:, etc.
... View more
05-02-2019
08:17 AM
I have looked at a ton of posts about breaking a multivalued field but having zero luck effecting a solution. I have a csv file that i have imported into splunk. In one of the fields, it contains data like this:
Subject Name: Country: US State/Province: Virginia Locality: Glen Allen
I thought i could do field extractions to turn things like Country: into a field with the value of US, but no luck. I have looked at eval, split, regex, and mvexpand but can't seem to get the right combo/syntax to do what i want. Can someone lend me their expertise in resolving?
Ideally once i break this field up into its individual pieces i want to create a dashboard that check one of them and ties it to all its records. Worry for another day if i can't break up the field.
... View more
02-22-2019
04:50 AM
I am trying to setup the splunk addon for tenable to pull scan reports from our nessus pro box. I have setup the addon on a heavy forwarder with the information needed but i never see anything come over. My fear in researching is that this functionality doesn't work as smoothly based on issues i have seen others have. I wondered if anyone has successfully gotten this working and how? My settings are: (please note that my heavy forwarder performs no indexing functionality, so the "nessus" index is only created on my actual indexer. Hoping this isn't the problem.)
Metrics
Nessus Host Scans
Nessus Server URL
https://nessuspro:8834
Start Date
1999/01/01
Batch Size
100000
Interval
43200
Index
nessus
Status
Enabled
... View more
01-18-2019
09:57 AM
Figured it out. On the regular expression build wizard of creating a new field i just need to include additional different samples so the expression could build.
... View more
01-18-2019
09:13 AM
New to field extractions but hoping this is an easy one that i just can't figure out for myself. I have a syslog server sending raw logs and want to extract a new field that consists of all the data (string) between and so that i can use it in a search. So for example, if i had a raw log that said:
Jan 18 10:58:38 10.0.254.51 <134>Jan 18 10:58:38 from="something@something.com" to="someone@someone.com" RE: [EXTERNAL] Files for Review#012 #012
I want to extract a field called "subject" that would consist of only "RE: [EXTERNAL] Files for Review". Of course as messages flow through, the subject will change among them, but that's the just of it. It is already identifying a From and To field so my end result I am trying to create will be a table that will consist of:
"From" "To" "Subject"
I tried rex field=_raw "\" : "<(?.*)>" but it did not like that.
Any help is greatly appreciated!
... View more
- Tags:
- splunk-enterprise
12-18-2018
07:35 AM
No I did not. but wanted to post the info in case someone else was looking for it. thanks monkeyK
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
01-28-2022
12:09 AM
|
