About ghostdog920

ghostdog920 · ‎08-07-2020

It is! Thank you so much!

ghostdog920 · ‎08-07-2020

So the mvindex basically says for that field, choose in this case, the 2nd value for the field as the only value for that field?

ghostdog920 · ‎08-07-2020

I am having a problem with what i believe is writing a regex to clean up some events before i report on them in dashboard. I am pulling specific security events from windows and each event should return a username and a domain. I am getting those results, but with each, it is also returning a second data item "-". That is throwing things off/making it look ugly and i havent had much luck ripping it out. Hoping someone can assist and possibly explain what the solution is doing? I tried to do an eval replace for the field where "-" is replaced with "" but then none of my events showed up so clearly that was wrong. A sample event looks like this to help clarify what i am getting: I basically need to drop the first line from both the "Account" and also "Account_Domain" so that i would only get service. and PF as values. As always, help is greatly appreciated.

ghostdog920 · ‎05-07-2019

Got this working (or at least not erroring) after I appended the index|rename as needed. I get a raw event dump and the regex fields still aren't listed in the "interesting fields" section as I would expect, but perhaps they wouldn't be?

ghostdog920 · ‎05-06-2019

Thanks everyone for the responses. I was out of the office Friday and also today so will get back to playing with this tomorrow and let you know the status.

ghostdog920 · ‎05-02-2019

So sorry, thought i responded back. I tried this: index=nessus| makeresults |eval plug_out="Subject Name: Country: US State/Province: Virginia Locality: Glen Allen" | rex field=plug_out "Country:\s+(?.?)\s+State\/Province:\s+(?.?)\s+Locality:\s+(?.*)$" And i got this output: Error in 'rex' command: Encountered the following error while compiling the regex 'Country:\s+(?.?)\s+State\/Province:\s+(?.?)\s+Locality:\s+(?.*)$': Regex: unrecognized character after (? or (?- The search job has failed due to an error. You may be able view the job in the Job Inspector. Thoughts on where i messed up?

ghostdog920 · ‎05-02-2019

Tried this: index=nessus| makeresults |eval plug_out="Subject Name: Country: US State/Province: Virginia Locality: Glen Allen" | rex field=plug_out "Country:\s+(?.?)\s+State\/Province:\s+(?.?)\s+Locality:\s+(?.*)$" And got this: Error in 'rex' command: Encountered the following error while compiling the regex 'Country:\s+(?.?)\s+State\/Province:\s+(?.?)\s+Locality:\s+(?.*)$': Regex: unrecognized character after (? or (?- The search job has failed due to an error. You may be able view the job in the Job Inspector.

ghostdog920 · ‎05-02-2019

Still no go. Thanks for all your help with this though as i wouldn't have gotten this far without you.

ghostdog920 · ‎05-02-2019

Is this legible enough?

ghostdog920 · ‎05-02-2019

ghostdog920 · ‎05-02-2019

Ok, unfortunately I do not see those "fields" if you will on the left side nav bar, nor does the table output anything other than the headers with no data.

ghostdog920 · ‎05-02-2019

WIth this expression, and excuse my ignorance, the rex creates extractions that go where? Or maybe a better way to ask is if i do that and don't see fields created for the attributes, how do i reference those rex values for a table (as an example)?

ghostdog920 · ‎05-02-2019

Can definitely elaborate. Basically we are using Nessus to scan the environment for SSL certificates with the idea of creating a report to identify certs that will be expiring. So the output from nessus is say 10 columns (what i am calling fields) comma delimited that Splunk picks up on. Unfortunately one of those columns houses the elements that individually house about 10 attributes i really want to pull out as fields. I.E. Subject Name:, Common Name:, Country:, State/province:, Issue Date:, etc.

ghostdog920 · ‎05-02-2019

I have looked at a ton of posts about breaking a multivalued field but having zero luck effecting a solution. I have a csv file that i have imported into splunk. In one of the fields, it contains data like this: Subject Name: Country: US State/Province: Virginia Locality: Glen Allen I thought i could do field extractions to turn things like Country: into a field with the value of US, but no luck. I have looked at eval, split, regex, and mvexpand but can't seem to get the right combo/syntax to do what i want. Can someone lend me their expertise in resolving? Ideally once i break this field up into its individual pieces i want to create a dashboard that check one of them and ties it to all its records. Worry for another day if i can't break up the field.

ghostdog920 · ‎02-22-2019

I am trying to setup the splunk addon for tenable to pull scan reports from our nessus pro box. I have setup the addon on a heavy forwarder with the information needed but i never see anything come over. My fear in researching is that this functionality doesn't work as smoothly based on issues i have seen others have. I wondered if anyone has successfully gotten this working and how? My settings are: (please note that my heavy forwarder performs no indexing functionality, so the "nessus" index is only created on my actual indexer. Hoping this isn't the problem.) Metrics Nessus Host Scans Nessus Server URL https://nessuspro:8834 Start Date 1999/01/01 Batch Size 100000 Interval 43200 Index nessus Status Enabled

ghostdog920 · ‎01-18-2019

Figured it out. On the regular expression build wizard of creating a new field i just need to include additional different samples so the expression could build.

ghostdog920 · ‎01-18-2019

New to field extractions but hoping this is an easy one that i just can't figure out for myself. I have a syslog server sending raw logs and want to extract a new field that consists of all the data (string) between and so that i can use it in a search. So for example, if i had a raw log that said: Jan 18 10:58:38 10.0.254.51 <134>Jan 18 10:58:38 from="something@something.com" to="someone@someone.com" RE: [EXTERNAL] Files for Review#012 #012 I want to extract a field called "subject" that would consist of only "RE: [EXTERNAL] Files for Review". Of course as messages flow through, the subject will change among them, but that's the just of it. It is already identifying a From and To field so my end result I am trying to create will be a table that will consist of: "From" "To" "Subject" I tried rex field=_raw "\" : "<(?.*)>" but it did not like that. Any help is greatly appreciated!

ghostdog920 · ‎12-18-2018

No I did not. but wanted to post the info in case someone else was looking for it. thanks monkeyK

ghostdog920 · ‎12-04-2018

Sorry, thanks for catching that.

ghostdog920 · ‎12-04-2018

Figured it out with some google searching help. Posting the results in case anyone else needs this. Palo Alto Custom Log Format, Confi, All Fields actionflags="$actionflags", admin="$admin", after-change-detail="$after-change-detail", before-change-detail="$before-change-detail", cef-formatted-receive_time="$cef-formatted-receive_time", cef-formatted-time_generated="$cef-formatted-time_generated", client="$client", cmd="$cmd", host="$host", path="$path", receive_time="$receive_time", result="$result", seqno="$seqno", serial="$serial", subtype="$subtype", time_generated="$time_generated", type="$type", vsys="$vsys" Palo Alto Custom Log Format, HIP Match, All Fields actionflags="$actionflags", cef-formatted-receive_time="$cef-formatted-receive_time", cef-formatted-time_generated="$cef-formatted-time_generated", machinename="$machinename", matchname="$matchname", matchtype="$matchtype", receive_time="$receive_time", repeatcnt="$repeatcnt", seqno="$seqno", serial="$serial", src="$src", srcuser="$srcuser", subtype="$subtype", time_generated="$time_generated", type="$type", vsys="$vsys" Palo Alto Custom Log Format, Traffic, All Fields action="$action", actionflags="$actionflags", app="$app", bytes="$bytes", bytes_received="$bytes_received", bytes_sent="$bytes_sent", category="$category", cef-formatted-receive_time="$cef-formatted-receive_time", cef-formatted-time_generated="$cef-formatted-time_generated", dport="$dport", dst="$dst", dstloc="$dstloc", dstuser="$dstuser", elapsed="$elapsed", flags="$flags", from="$from", inbound_if="$inbound_if", logset="$logset", natdport="$natdport", natdst="$natdst", natsport="$natsport", natsrc="$natsrc", outbound_if="$outbound_if", packets="$packets", padding="$padding", pkts_received="$pkts_received", pkts_sent="$pkts_sent", proto="$proto", receive_time="$receive_time", repeatcnt="$repeatcnt", rule="$rule", seqno="$seqno", serial="$serial", sessionid="$sessionid", sport="$sport", src="$src", srcloc="$srcloc", srcuser="$srcuser", start="$start", subtype="$subtype", time_generated="$time_generated", time_received="$time_received", to="$to", type="$type", vsys="$vsys" Palo Alto Custom Log Format, Threat, All Fields action="$action", actionflags="$actionflags", app="$app", category="$category", cef-formatted-receive_time="$cef-formatted-receive_time", cef-formatted-time_generated="$cef-formatted-time_generated", contenttype="$contenttype", direction="$direction", dport="$dport", dst="$dst", dstloc="$dstloc", dstuser="$dstuser", flags="$flags", from="$from", inbound_if="$inbound_if", logset="$logset", misc="$misc", natdport="$natdport", natdst="$natdst", natsport="$natsport", natsrc="$natsrc", number-of-severity="$number-of-severity", outbound_if="$outbound_if", proto="$proto", receive_time="$receive_time", repeatcnt="$repeatcnt", rule="$rule", seqno="$seqno", serial="$serial", sessionid="$sessionid", severity="$severity", sport="$sport", src="$src", srcloc="$srcloc", srcuser="$srcuser", subtype="$subtype", threatid="$threatid", time_generated="$time_generated", time_received="$time_received", to="$to", type="$type", vsys="$vsys" Palo Alto Custom Log Format, System, All Fields actionflags="$actionflags", cef-formatted-receive_time="$cef-formatted-receive_time", cef-formatted-time_generated="$cef-formatted-time_generated", eventid="$eventid", module="$module", number-of-severity="$number-of-severity", object="$object", opaque="$opaque", receive_time="$receive_time", seqno="$seqno", serial="$serial", severity="$severity", subtype="$subtype", time_generated="$time_generated", type="$type", vsys="$vsys"

Posts	32
Solutions	2
Karma Given	2
Karma Received	0
Member Since	‎04-05-2017

Online Status	Offline
Date Last Visited	‎03-10-2021 02:05 PM

Help With Event Cleanup - Remove "-"

Multi Valued Field Help

Splunk Addon for Tenable/ Nessus Pro 8

Field Extraction Between Keywords Help

Palo Alto Custom Log Format

First Time Setup with Heavy Forwarder Help - Speci...

WIll you help me with the following error in the S...

Drill Down Help for Dashboard with \ in variable

How to do new User-Setup Windows Event Logs from U...

Trouble setting up universal forwarder for Windows...

Re: Help With Event Cleanup - Remove "-"

Re: Help With Event Cleanup - Remove "-"

Help With Event Cleanup - Remove "-"

Re: Multi Valued Field Help

Re: Multi Valued Field Help

Re: Multi Valued Field Help

Re: Multi Valued Field Help

Re: Multi Valued Field Help

Re: Multi Valued Field Help

Re: Multi Valued Field Help

Re: Multi Valued Field Help

Re: Multi Valued Field Help

Re: Multi Valued Field Help

Multi Valued Field Help

Splunk Addon for Tenable/ Nessus Pro 8

Re: Field Extraction Between Keywords Help

Field Extraction Between Keywords Help

Re: Palo Alto Custom Log Format

Re: Palo Alto Custom Log Format

Re: Palo Alto Custom Log Format