Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About ttovarzoll
ttovarzoll
Path Finder
Member since:
03-04-2020
08-25-2023
Community Statistics
| Posts | 40 |
| Solutions | 2 |
| Karma Given | 14 |
| Karma Received | 2 |
| Member Since | 03-04-2020 |
Activity Feed
- Got Karma for Re: How do I extract non-blank lines from Windows Event 4738 ?. 01-15-2024 09:59 AM
- Karma Re: Load on indexers high for gcusello. 08-25-2023 09:12 AM
- Karma Re: Load on indexers high, am I able to add more indexers to help? for PickleRick. 08-25-2023 09:12 AM
- Karma Re: Is there anything comparable to SPL for offline use? for isoutamo. 05-31-2023 11:53 AM
- Karma Re: Is there anything comparable to SPL for offline use? for richgalloway. 05-31-2023 11:53 AM
- Posted Re: Is the Free license for home lab available? on Installation. 05-31-2023 11:52 AM
- Posted Re: Is there anything comparable to SPL for offline use? on Splunk Search. 05-31-2023 11:17 AM
- Karma Re: Is there anything comparable to SPL for offline use? for richgalloway. 05-31-2023 11:15 AM
- Posted Is there anything comparable to SPL for offline use? on Splunk Search. 05-31-2023 10:08 AM
- Tagged Is there anything comparable to SPL for offline use? on Splunk Search. 05-31-2023 10:08 AM
- Posted Re: Are hidden characters breaking my joins? on Splunk Search. 03-23-2023 09:13 AM
- Karma Re: Are hidden characters breaking my joins? for yuanliu. 03-23-2023 09:03 AM
- Karma Re: Are hidden characters breaking my joins? for PickleRick. 03-23-2023 09:03 AM
- Posted Are hidden characters breaking my joins? on Splunk Search. 03-22-2023 11:08 AM
- Posted Re: Amazon AWS SQS Monitoring: Unable to ingest OversizedChangeNotification on All Apps and Add-ons. 03-13-2023 08:52 AM
- Posted Re: Amazon AWS SQS Monitoring: Unable to ingest OversizedChangeNotification on All Apps and Add-ons. 09-02-2022 08:07 AM
- Posted Re: filter on 'count' without losing original results? on Splunk Search. 08-09-2022 10:03 AM
- Karma Re: filter on 'count' without losing original results? for bowesmana. 08-09-2022 10:01 AM
- Karma Re: filter on 'count' without losing original results? for PickleRick. 08-09-2022 10:00 AM
- Posted Re: filter on 'count' without losing original results? on Splunk Search. 08-08-2022 04:58 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
05-31-2023
11:52 AM
what does the "500 MB daily ingest limit" mean? I understand if I'm sending logs but what if I want to use it for adhoc review of large offline data-sets, e.g. VPC FlowLogs? Can I manually import a 1 GB .csv or does that count as part of the 500 MB/day? If so, could I break it up and import 500 MB today, then 500 MB tomorrow -- and then do my searches? Thank you for this detailed discussion!
... View more
05-31-2023
11:17 AM
Interesting! What are the rules or restrictions around a 'personal' install? I've mostly used Splunk Cloud so I have limited experience doing local installs. It seems like a lot of work to configure, and after the initial 30-day(?) trial expires, what can or can't you do? Also, btw, I found that I can duplicate a little of my SPL experience in Excel using the 'Text Filter' function. Still waaay more work then just writing a one-line SPL query but at least duplicates some of the power ...
... View more
05-31-2023
10:08 AM
I love love love Splunk and especially SPL! It makes it so easy to generate very granular and detailed reports on large data-sets. But is there anything comparable for offline data? In the past I've used Excel and both it's 'Data:Filter' function along with custom formulas. But that all seems so restrictive now, compared to SPL.
Any suggestions? (Aside from temporarily importing my offline data into Splunk which I cannot do for various reasons...)
... View more
- Tags:
- spl
Labels
- Labels:
-
eval
03-23-2023
09:13 AM
Aha! yes, that's a good trick. At first I didn't understand how that would fix the problem but then I realized that it was the perfect troubleshooting step -- and it demonstrated that there was a trailing space. So, I have now modified my eval statement and confirmed that I am now receiving the missing events | eval user_IP = username . trim(src_ip) I also had to add matching trim() statements to several other references to 'username' throughout the SPL query.
... View more
03-22-2023
11:08 AM
I am trying to build an Alert for login failures in AWS CloudTrail. In general I have it working -- but my joins are missing some of the desired events. Specifically, I am building an 'index' value consisting of the username+IP, e.g. | eval user_IP = username + src_ip but I now see that some seemingly-identical values are being evaluated as separate. For instance, when you click on the Selected Values view (left-side in the results) there will be 2 separate entries which -- at least on-screen -- appear to be identical. WHAT THE POPUP SHOWS user_IP 2 Values, 100% of events Values Count firstuser172.31.1.1 2 firstuser172.31.1.1 1 I suspect there is a hidden character in the second Value. Or, maybe a trailing space (though there is none when I try adding each to the search). ---- How can I modify my 'eval' to generate values without hidden characters? (I already tried adding a lower() function but without success)
... View more
Labels
- Labels:
-
eval
03-13-2023
08:52 AM
Are you using the legacy TA or the new Data Manager?
... View more
09-02-2022
08:07 AM
Has anyone tried the SQS input on the new Data Manager Add-On? Instead of directly pulling (like the legacy AWS Add-On) the new DM creates a Firehose 'push'. Also, re the legacy Add-On's issue, I know that I previously posted about my own experience (circa 2019) but now my recollection is that this was only/ever a cosmetic issue, i.e., that there was no actual data-loss. Is that correct? Or, am I maybe confusing this issue with another?
... View more
08-09-2022
10:03 AM
Thank you! Both of those solutions worked. I decided to use the 'stats count values() by' as my solution because I liked how it created a single multi-value result.
... View more
08-08-2022
04:58 PM
I'm surprised, I honestly thought I provided enough details. I really don't see how this will help but here it is: index=os sourcetype="xmlwineventlog" ``` extract and normalize the Domain name ``` | rex field=source "/aws/directoryservice/(?<ds_name>.+):" | eval Domain = if( lower( substr(ds_name,0,2))="zo", lower( substr(ds_name, 0, 8)), lower( substr(ds_name, 14, len(ds_name) - 12))) ``` extract and normalize the Domain Controller hostname ``` | rex field=Computer "(?<DC_extract>.+).z" | eval DC_hostname = if( isnull( DC_extract ), upper(Computer), upper( DC_extract ) ) ``` count how many messages from each DC ``` | stats count by Domain, DC_hostname ``` now count how many DCs per-domain | stats count by Domain `` finally, notify of any domains with more than 2 DCs ``` | where count>2
... View more
08-08-2022
01:43 PM
I am trying to build an Alert which will trigger whenever one of our AWS-hosted Active Directory domains get replacement Domain Controllers, i.e., we don't control if/when they replace the servers. I already have a simple Alert which counts how many unique DCs it sees per-hosted domain, and then I can do a simple:
index=os sourcetype="xmlwineventlog # here I perform some clean-up to identify the 2 desired fields... # stats count Domain, DC_hostname stats count Domain where count>2
(and where the default number of DCs = 2, i.e., if there are more than that, AWS is in the process of replacing one or both.)
The problem is that I lose the list of DCs.
How can I filter-out all the domains that just have the typical 2 DCs while still keeping the complete list of DCs from the non-typical domain?
-------------------------
FYI - this is what the search looks like before my final filter:
Domain DC_hostname ---------- ----------------------------- domain1 DC1 domain1 DC2 domain2 DC3 domain2 DC4 domain2 DC5
My current Alert returns simply: domain2
whereas I want it to return:
domain2 DC3 domain2 DC4 domain2 DC5
... View more
Labels
- Labels:
-
count
05-10-2022
10:05 AM
oh! wow, I didn't know you could do that -- list one of the original fields twice in the stats command 😁 I was seeing the dc(SecondaryField) and assumed that was the only/last reference to that field. You've unlocked a whole new wave of discovery for me!
... View more
05-09-2022
11:10 AM
Giuseppe, Thanks, that's a great trick! But wouldn't it lose the original values of SecondaryField?
... View more
05-06-2022
02:51 PM
I am trying to create a Splunk Alert which -- well, the details will take too long to explain 🙂
The issue is that I'm generating a stats list where some of the results have a single value while others have multiple, e.g.
PrimaryField
SecondaryField
resultToKeep
result1 result2
resultToToss
result1
How do I filter-out the 'resultToToss' based on the fact there's only 1 'SecondaryField' result for it?
... View more
Labels
- Labels:
-
stats
04-06-2022
05:16 PM
FYI - still replying to my own question ... I would still like to know how to specify an individual Key/Value pair but I finally found another posting which showed me how to accomplish my real objection -- extracting the 'Name' fields. (I use the IP/Name info to label my VPC Flowlogs.) index=aws sourcetype=aws:description:metadata source="us-west-2:ec2_instances "Tags{}.Value"=prod PrivateIpAddress="10.10.*" | spath Tags{} | mvexpand Tags{} | spath input=Tags{} | table PrivateIpAddress, Key, Value | where Key="Name" | fields - Key
... View more
04-06-2022
02:03 PM
ok, so I think I've partially answered my question: the first version is a nested-JSON and, since it has unique paths, it is trivial to specify a filter (also to extract the result) the second version is -- I believe... -- a nested multi-value array. I've dealt with MV arrays before but this time I'm defeated by the nesting. FYI - the official Splunk doc re MV arrays only has examples where you pick the values by position-ID, e.g. [0], rather than by associated 'Key' https://docs.splunk.com/Documentation/SCS/current/Search/Arrayandobjectexpressions ----------------------------------- I found the following StackOverflow discussion which seemed to answer this exact issue ... except that I can't get the 'mvzip' command to accept the Tags{}.Name multi-value? https://stackoverflow.com/questions/61646035/get-specified-element-in-array-of-json-splunk Their solution was basically a hack where you combine the 'name' and 'value' arrays, then filter for your target key, and finally re-extract the target value. For the AWS Description Metadata JSON, I'm trying the following -- except that it returns the error, "arguments to mvzip function are invalid" | eval combined = mvzip( "Tags{}.Key", "Tags{}.Value" ) P.S. I tried the Tags{}.Key both with and without double-quotes around it ...
... View more
04-06-2022
11:03 AM
The latest version of the Splunk Add-on for AWS has changed the JSON for the "AWS Description" ingest; see examples below. My question is about selecting values from this new 'type' of array. Before, you could select particular values with the following search syntax: tags.Name = "server1" QUESTIONS 1. How do I make the same search with the newer JSON? 2. What is the technical description for these 2 different forms of arrays? BEFORE tags: { [-] Environment: test Name: server1 AFTER Tags: [ [-] { [-] Key: Environment Value: test } { [-] Key: Name Value: server1 }
... View more
Labels
- Labels:
-
search
10-12-2021
09:43 AM
This is really a log4net question but I'm hoping the folks here can help; I have been unsuccessful at searching online for a solution. ----------------- We have a custom application which generates local logs in JSON format via the log4net module. We then have a Splunk UF installed to collect said logs. In general that all works fine. The problem is that some log messages include a nested JSON 'message' field -- but log4net is misformatting it as a string and so Splunk doesn't parse the nested part. You can see the issue (below) where log4net is unnecessarily adding quote-marks around the nested part: CURRENT/INVALID "message":"{"command":"Transform271ToBenefitResponse","ms":1}" PROPER "message":{"command":"Transform271ToBenefitResponse","ms":1} -------------------------- I'm not entirely sure of the log4net configuration but here's what I was told by one of our developers: ORIGINAL LOG4NET CONFIG <conversionPattern value="%utcdate [%property{CorrelationId}] [%property{companyId}] [%property{userId}] [%thread] [%level] %logger - %message%newline" /> UPDATED CONFIG; STILL FAILS <conversionPattern value="{"date":"%date{ISO8601}", "correlationId":"%property{CorrelationId}", "companyId":"%property{companyId}", "userId":"%property{userId}", "thread":"%thread", "level":"%level", "logger":"%logger", "message":"%message"}%newline" />
... View more
- Tags:
- log4net
Labels
- Labels:
-
JSON
05-06-2021
10:19 AM
I am using the standard 'Splunk_TA_nix' deploy-app on all of my Linux agents. Now, we are starting to deploy Cortex XDR and the local /var/log/traps/traps.pmd log is extremely verbose and unnecessary to collect in Splunk; it's already being collected by the Cortex XDR console. How do I blacklist that one log-file without editing the original deploy-app? I have tried creating an additional deploy-app which specifies that folder, then blacklists that file, but it doesn't work. Maybe I have a typo (see below) but my suspicion is that there's a precedence issue, i.e., I can't modify the input stanza from the first deploy-app? MY NEW DEPLOY-APP's INPUT.CONF [monitor:///var/log/traps/]
blacklist = traps.pmd
recursive=false
disabled = false
index = os
sourcetype = syslog
... View more
Labels
- Labels:
-
inputs.conf
04-06-2021
11:53 AM
Did you recreate the Input(s) in the Okta TA? It's simple enough to configure, I would do that just to ensure there wasn't something borked in the original Input, i.e., after the original token failed. Also, for what user-account is the new token? Currently, I'm using my own admin-equiv Okta user but I'm trying to recreate it with a 'service-account' with only the required log-access permissions. The "no logs found" might be a misleading error if the token is for a user without log-access?
... View more
03-09-2021
03:15 PM
1 Karma
I am experiencing this error, too, and two years after it was apparently recognized as an issue in the AWS TA. Surely there's some workaround? If I manually delete the 'oversize' files from the S3 bucket, will that stop the error-logging ... or will it simply substitute a new different error, e.g. "object not found"? Or, will the SQS message eventually time-out? (I don't think I have the ability to selectively delete SQS messages?)
... View more
02-18-2021
09:57 AM
floor(X) is the correct command -- round() is wrong because it also rounds 'up' However, there is no second value in floor(X), you don't need to specify the ",0" | stats sum(DURATION) AS "DURATION"
| eval HOURS=floor(DURATION/3600)
| eval MINUTES=floor((DURATION-HOURS*3600)/60)
| eval SECONDS=DURATION-HOURS*3600-MINUTES*60
| eval TIME=HOURS.":".MINUTES.":".SECONDS
... View more
02-01-2021
03:00 PM
1 Karma
OK, I finally figured it out. I had to make two changes: use regex to replace all line-breaks (\r\n) with a delimiter (***) convert multi-line "MSADChangedAttributes" into a multi-value field Now my original regex works! | rex mode=sed field=MSADChangedAttributes "s/\r\n/***/g"
| makemv delim="***" MSADChangedAttributes
| rex field=MSADChangedAttributes max_match=0 "(?<Changed>^[^-]*$)"
... View more
02-01-2021
12:12 PM
I think maybe the issue here is that Splunk is seeing that 'MSADChangedAttribue' as one long string (albeit with a bunch of line-breaks), i.e., there will always be a "-" character somewhere. Instead, maybe I need to break the original field into multiple fields -- so that the regex can evaluate them individually?
... View more
02-01-2021
11:39 AM
I am trying to write a Report which queries our Windows Security Event logs for event # 4738, "user account was changed." There is a field, MSADChangedAttribute, which looks like this: SAM Account Name: -
Display Name: -
User Principal Name: -
Home Directory: -
Home Drive: -
Script Path: -
Profile Path: -
User Workstations: -
Password Last Set: 1/26/2021 2:31:01 AM
Account Expires: -
Primary Group ID: -
AllowedToDelegateTo: -
Old UAC Value: -
New UAC Value: -
User Account Control: -
User Parameters: -
SID History: -
Logon Hours: - I want to make the Report more condensed and human-readable by extracting only the lines in that field which do not include "-". I have successfully identified the regex command which does this but I can't figure-out how to write it as a rex extract? For instance, the following code works on regex101.com to extract a new 'output' field (?<output>^[^-]*$) but when I put that into rex it has no result | rex field=MSADChangedAttribute max_match=0 "(?<Changed>^[^-]*$)" (NOTE: I added 'max_match=0' because sometimes there are more than 1 lines with new changes)
... View more
Labels
- Labels:
-
field extraction
08-21-2020
06:20 PM
I have a large query which works great to search CloudTrail logs for Security Group changes. Different events, however, place the notable fields in different paths, e.g. requestParameters.groupId requestElements.groupId requestParameters.UpdateSecurityGroupRuleDescriptionsIngressRequest.GroupId In this instance, I do a series of cascading evals where I set my 'GroupID' to each path ... then do another eval that starts with 'if(isnull(GroupID)' to determine if the previous path was empty. It all works (worked) great. But now I've found another event type where the notable fields are stashed under a much longer path, e.g. requestParameters.UpdateSecurityGroupRuleDescriptionsIngressRequest.GroupId There are actually 3 paths -- for GroupId, CIDR and Description. The lookup for the GroupId works but the lookups for CIDR and Description do not. I'm doing everything the same, it just doesn't work. Are they too long? Here's an example of the CIDR query: | spath "requestParameters"
| eval CIDR = 'requestParameters.cidrIp'
| eval CIDR = if( isnull(CIDR), 'requestParameters.ipPermissions.items{}.cidrIp', CIDR )
| spath "requestParameters.UpdateSecurityGroupRuleDescriptionsIngressRequest.IpPermissions{}.IpRanges.CidrIp"
| eval CIDR = if( isnull(CIDR), 'requestParameters.UpdateSecurityGroupRuleDescriptionsIngressRequest.IpPermissions.items{}.IpRanges.CidrIp', CIDR ) P.S. I don't think that second 'spath' command is needed (is it?) I only threw it in when I started having trouble getting it work ...
... View more
- Tags:
- aws
- cloudtrail
Labels
- Labels:
-
field extraction
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
08-25-2023
12:32 PM
|
Karma given to
