You may be able to use a TRANSFORM or INGEST_EVAL to edit the indexed field as well, although INDEXED_EXTRACTIONS from a forwarder would need to be routed back through pasrsingQueue. Since SEDCMD is already working, the re-route probably isn't necessary. Note the use of := to edit the existing field, if present: [remove-foo] INGEST_EVAL = foo:=null() # or [mask-and-replace-foo] INGEST_EVAL = foo:="" ... View more

Hi @jslamcle, If the input includes indexed extractions, either in a monitor stanza or in a modular input script, then SEDCMD wouldn't mask the extracted field values; it would only mask the _raw value. E.g., given /tmp/foo.json: {"foo":"bar"} {"foo":"baz"} and: # inputs.conf [monitor:///tmp/foo.json] sourcetype = foo_json INDEXED_EXTRACTIONS = json # props.conf [foo_json] SEDCMD-foo = s/"foo":"[^"]+"/"foo":""/ _raw will be indexed as: {"foo":""} {"foo":""} but the events will have indexed values of foo=bar and foo=baz, respectively: ... View more

Hi, You're very close! Set SHOULD_LINEMERGE = false in your props.conf stanza. The caret (^) in your regular expression is superfluous in multiline mode but will break the regular expression in single-line mode. For compatibility irrespective of Splunk's default flags, I would remove it: LINE_BREAKER = ([\n\r]+)Date:\s\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}.\d{3} ... View more

Hi, You'll need to manipulate the style of the fieldset and input div tags. This example is just a starting point. It impacts the display of the dashboard when editing and may break accessibility: <form version="1.1" theme="dark"> <label>Multiselect Width</label> <fieldset submitButton="false"> <html> <style> .fieldset { display: table; } #fixed_width_multiselect { display: table-cell !important; width: 500px !important; } #fixed_width_multiselect div[role="listbox"] { display: table-cell !important; width: 480px !important; } #dynamic_multiselect { display: table-cell !important; white-space: nowrap !important; } #dynamic_multiselect div[role="listbox"] { display: table-cell !important; } </style> </html> <input id="fixed_width_multiselect" type="multiselect" token="fixed_width_multiselect_tok"> <label>Fixed-Width Multiselect</label> <!-- ... --> </input> <input id="dynamic_multiselect" type="multiselect" token="dynamic_multiselect_tok"> <label>Dynamic Multiselect</label> <!-- ... --> </input> </fieldset> </form> Note that your Splunk administrator may disable the <html> tag in dashboards, in which case you'll need their assistance adding a CSS file to the app and referencing it with the stylesheet attribute of the <form> tag. ... View more

Hi, Cisco Secure eStreamer Client Add-On for Splunk <https://splunkbase.splunk.com/app/3662> provides this functionality for current releases of Cisco Secure Firewall (formerly Cisco Firepower and Sourcefire Firepower). English documentation is linked from Splunkbase. French documentation may be available from Cisco. ... View more

Hi, Escape sequences vary by SQL implementation, but generally, an apostrophe can be included in a character string with a preceding apostrophe, e.g.: SELECT 'FOO''BAR' returns FOO'BAR, where the double apostrophe is replaced with a single apostrophe. In your example: | dbxquery connection=visibility query="select content from DB where content like '%port'': 20,' " will return the content column from all DB table rows where content ends with port':[space]20,'[space]. To find all rows containing a src_port or dest_port string (or any other _port': string), you might try: | dbxquery connection=visibility query="select content from DB where content like '''%\_port'':%' escape '\'" In LIKE predicate patterns, % and _ are wildcards. I've introduced the ESCAPE clause to explicitly define an escape character. LIKE predicate patterns are not regular expressions, so you may match more than you intended. ... View more

Hi, Searching for auditd USER_MGMT audit events is one possible method as you've identified: index=nixeventlog sourcetype IN (auditd linux:audit) type=USER_MGMT (add-user-to-shadow-group OR add-user-to-group) wheel You may need to decompose the problem further to detect related activity: 1) Document your sudo implementation. This may include sudo, sssd, etc. 2) Monitor changes to sudo and dependent service implementations, e.g.: /etc/sudo.conf /etc/sudoers /etc/sudoers.d/* etc. 3) Document known sudo groups, e.g. wheel. If you have multiple group sources, i.e. /etc/group, Active Directory, etc., document those as well. 4) Monitor changes to sudo groups. CIS Benchmarks, DISA STIGs, and other implementation guides can assist with documentation and implementation based on your operating system. Linux STIGs, for example, recommend the following audit rules: -w /etc/sudoers -p wa -k identity -w /etc/sudoers.d/ -p wa -k identity I used vi to modify a read-only /etc/sudoers file as root. With Splunk Add-on for Linux* <https://splunkbase.splunk.com/app/3412> installed, auditd correctly configured**, and a linux:audit file (monitor) input enabled***, Splunk indexed the auditd events below. * You can also use Splunk Add-on for Unix <https://splunkbase.splunk.com/app/833> and Linux and the rlog.sh input to collect auditd data or alternatively, you can use Sysmon for Linux and Splunk Add-on for Sysmon for Linux <https://splunkbase.splunk.com/app/6652>. ** There's a small typo in the add-on documentation. The "best practice" log_format value should be ENRICHED, not ENHANCED. Auditd will fail to start with log_format=ENHANCED. I've sent feedback to the content team. *** Add the following stanza to $SPLUNK_HOME/etc/apps/Splunk_TA_linux/local. Your Splunk user must have read and execute access to /var/log/audit and read access to /var/log/audit/audit.log*. The /etc/audit/auditd.conf log_group property is one method for granting this access. # $SPLUNK_HOME/etc/apps/Splunk_TA_linux/local [monitor:///var/log/audit/audit.log*] disabled = false sourcetype = linux:audit index=main sourcetype=auditd key=identity type=SYSCALL msg=audit(1681571544.453:1378): arch=c000003e syscall=188 success=yes exit=0 a0=55921780fc90 a1=7f444ef7f1ef a2=5592179c7d10 a3=1c items=1 ppid=2715 pid=245788 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="vi" exe="/usr/bin/vi" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="identity" ARCH=x86_64 SYSCALL=setxattr AUID="splunk" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root" type=SYSCALL msg=audit(1681571544.453:1377): arch=c000003e syscall=91 success=yes exit=0 a0=4 a1=8120 a2=7ffc6b024ab0 a3=1b items=1 ppid=2715 pid=245788 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="vi" exe="/usr/bin/vi" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="identity" ARCH=x86_64 SYSCALL=fchmod AUID="splunk" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root" type=SYSCALL msg=audit(1681571544.452:1376): arch=c000003e syscall=188 success=yes exit=0 a0=55921780fc90 a1=7f444f3ceebe a2=5592179d0be0 a3=1b items=1 ppid=2715 pid=245788 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="vi" exe="/usr/bin/vi" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="identity" ARCH=x86_64 SYSCALL=setxattr AUID="splunk" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root" type=SYSCALL msg=audit(1681571544.450:1375): arch=c000003e syscall=257 success=yes exit=4 a0=ffffff9c a1=55921780fc90 a2=41 a3=1a0 items=2 ppid=2715 pid=245788 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="vi" exe="/usr/bin/vi" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="identity" ARCH=x86_64 SYSCALL=openat AUID="splunk" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root" type=SYSCALL msg=audit(1681571544.449:1374): arch=c000003e syscall=82 success=yes exit=0 a0=55921780fc90 a1=5592179c7e00 a2=fffffffffffffe90 a3=1 items=4 ppid=2715 pid=245788 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="vi" exe="/usr/bin/vi" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="identity" ARCH=x86_64 SYSCALL=rename AUID="splunk" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root" Auditd also logs correlated PATH messages: index=main sourcetype=linux:audit type=PATH name=/etc/sudoers* type=PATH msg=audit(1681571544.453:1378): item=0 name="/etc/sudoers" inode=67257464 dev=fd:00 mode=0100440 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 OUID="root" OGID="root" type=PATH msg=audit(1681571544.452:1376): item=0 name="/etc/sudoers" inode=67257464 dev=fd:00 mode=0100640 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:etc_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 OUID="root" OGID="root" type=PATH msg=audit(1681571544.450:1375): item=1 name="/etc/sudoers" inode=67257464 dev=fd:00 mode=0100640 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:etc_t:s0 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 OUID="root" OGID="root" type=PATH msg=audit(1681571544.449:1374): item=3 name="/etc/sudoers~" inode=67765819 dev=fd:00 mode=0100440 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 OUID="root" OGID="root" type=PATH msg=audit(1681571544.449:1374): item=2 name="/etc/sudoers" inode=67765819 dev=fd:00 mode=0100440 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 OUID="root" OGID="root" Splunk Security Essentials <https://splunkbase.splunk.com/app/3435> includes many examples for monitoring scenarios like the file modification above using Splunk Common Information Model (CIM) <https://splunkbase.splunk.com/app/1621>. The "Linux Possible Access To Sudoers File" analytic provides an example you can modify to search for possible accesses to */etc/sudoers*: | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN("cat", "nano*","vim*", "vi*") AND Processes.process IN("*/etc/sudoers*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_possible_access_to_sudoers_file_filter` The "Linux Visudo Utility Execution" analytic provides an example you can use to detect execution of visudo: | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = visudo by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_visudo_utility_execution_filter` The "Linux Sudoers Tmp File Creation" analytic provides an example you can modify to search for changes to *suoders.tmp*, *sudoers~*, *sudoers.swp*, and others: | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*sudoers.tmp*") by Filesystem.dest Filesystem.file_name Filesystem.process_guid Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `linux_sudoers_tmp_file_creation_filter` Neither Splunk Add-on for Linux nor Splunk Add-on for Unix and Linux support the Endpoint.Filesystem data model out of the box, but we can add baseline support (relative to auditd rules tracking writes and attribute changes) with a few knowledge objects: # $SPLUNK_HOME/etc/apps/Splunk_TA_linux/local/eventtypes.conf [linux_audit_endpoint_filesystem] search = sourcetype=linux:audit (type=PATH) #tags = endpoint filesystem # $SPLUNK_HOME/etc/apps/Splunk_TA_linux/local/props.conf [linux:audit] EVAL-action = case(type=="PATH" AND nametype=="NORMAL", "modified",\ type=="PATH" AND nametype=="DELETE", "deleted",\ type=="PATH" AND nametype=="CREATE", "created",\ true(), null()) EVAL-file_modify_time = case(type=="PATH", _time, true(), null()) EVAL-process_id = case(type IN ("USER_CMD", "SERVICE_START", "SERVICE_STOP") AND isnotnull(pid), pid, null()) EVAL-user = case(type=="PATH" AND isnotnull(OUID), OUID, true(), null()) EXTRACT-file_path = type=PATH\s+msg=audit\([^)]+\):\s+item=\d+\s+name="(?<file_path>.*/(?<file_name>[^/"]+)) # $SPLUNK_HOME/etc/apps/Splunk_TA_linux/local/tags.conf [eventtype=linux_audit_endpoint_filesystem] endpoint = enabled filesystem = enabled After refreshing or restarting Splunk, we can use the tstats command to find events where "*sudoers*" was modified, created, or deleted: | tstats summariesonly=false allow_old_summaries=true fillnull_value=null count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*sudoers*") by Filesystem.dest Filesystem.file_name Filesystem.file_path With this background, you can expand audit rules to include files like /etc/passwd, /etc/shadow, /etc/group, and /etc/gshadow and commands like usermod and gpasswd: -w /etc/passwd -p wa -k identity -w /etc/group -p wa -k identity -w /etc/gshadow -p wa -k identity -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-gpasswd -a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -k privileged-usermod Searches similar to those above can be used to detect possible changes to group memberships: | tstats summariesonly=false allow_old_summaries=true fillnull_value=null count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*/etc/group" "*/etc/gshadow" "*/etc/passwd") by Filesystem.dest Filesystem.file_name Filesystem.file_path   ... View more

GB is a valid alias for Europe/London according to the zone database. TZ=GB should have worked. I personally prefer to use the canonical names, but as long as the name is valid, it should work. ... View more

I used CTEs in ad hoc T-SQL (and less often, CONNECT BY in Oracle) for critical path analysis. It worked very well on indexed identifier and dependency columns. Translating relational SQL solutions to streaming Splunk solutions made up the bulk of my early Splunk experience. I do much less of that now, although the background helps when working with clients on DB Connect solutions, particularly with "UPSERT" style audit tables and normalized, often undocumented third-party schemas. ... View more

Hi, If your CSV file was added to Splunk using the csv source type (with INDEXED_EXTRACTIONS = csv) or a source type with CSV field names defined, the fields should be available at search time. For example, given foo.csv and source type csv: x,y 1,1.587189013 2,0.329284696 3,1.133517675 4,-0.996575706 5,-1.64539828 6,-0.50646667 7,-1.063363413 8,-1.40311895 9,0.713595252 10,0.088273196 a search for sourcetype=csv source=foo.csv will return events with fields x and y. (I'm intentionally omitting index and other fields in the example.) For simplicity, you can return known fields with the table command: sourcetype=csv source=foo.csv | table x y Alternatively, you can remove fields you don't want and include all others. Removing the fields from you you identified: sourcetype=csv source=foo.csv | fields - "_bkt","_cd","_indextime","_raw","_serial","_si","_sourcetype","_time",host,index,linecount,source,sourcetype,"splunk_server" | table * returns a table with a x, y, and any remaining default fields. Using the search.py example app (earliest and latest not specified): $ python ~/splunk-app-examples/python/search.py 'search sourcetype=csv source=foo.csv | fields - "_bkt","_cd","_indextime","_raw","_serial","_si","_sourcetype","_time",host,index,linecount,source,sourcetype,"splunk_server" | table *' --output_mode=json --username=xxx --password=xxx  returns the fields and values expected (extra fields shown): ..., "fields":[{"name":"eventtype"},{"name":"punct"},{"name":"splunk_server_group"},{"name":"tag"},{"name":"tag::eventtype"},{"name":"timestamp"},{"name":"x"},{"name":"y"},{"name":"_eventtype_color"}], "results":[{"punct":",.","splunk_server_group":["dmc_group_indexer","dmc_group_kv_store","dmc_group_license_master","dmc_group_search_head"],"timestamp":"none","x":"10","y":"0.088273196"}, ...], ...   ... View more

I'll provide a friendly op-ed: Do read Splunk SQL for SQL Users if you're familiar with relational databases and SQL-like languages and need a Splunk primer. The example searches aren't optimal; however, the SELECT through ORDER BY examples provide the foundation for most general search use cases. (Use the where Splunk search command to compare two fields directly.) TRUNCATE and DELETE probably shouldn't have been included as the Splunk delete search command doesn't do the same thing. The examples using the join and append Splunk search commands are arguably anti-patterns, but do use them if they help you make sense of the problem you're trying to solve; you can optimize your searches after you have the correct outputs in hand for comparison. ... View more

It's only manageable globally, unfortunately. ... View more

Where supported, common table expressions make trees manageable in relational databases. Graph databases make trees trivial. The problem isn't intractable in Splunk; it's just different. ... View more

Hi @SabariRajanT, If you can provide samples of your events and a sample of list123.csv, I can help with alternatives. ... View more

You'll likely need to contact Splunk support to implement INGEST_EVAL. If the schema and field order of the outer and inner JSON never change, you can also use a combination of SEDCMD and a regular transform: # props.conf [aws:sqs] MAX_TIMESTAMP_LOOKAHEAD = 13 SEDCMD-unescape = s/\\//g TIME_FORMAT = %s%3Q TIME_PREFIX = "Message"\s*:\s*"\{\\"timestamp\\"\s*:\s*\\" TRANSFORMS-copy_message_to_raw = copy_message_to_raw # transforms.conf [copy_message_to_raw] DEST_KEY = _raw FORMAT = $1 REGEX = "Message"\s*:\s*"([^}]+\}) Everything above can be implemented through the user interface. Note that the SEDCMD regular expression will aggressively remove all backslashes. In my test environment (Splunk Enterprise 9.0.4.1), typical solutions for stripping backslashes end up adding backslashes. E.g.: \" => s/\x5C"/"/g => \\" Splunk's treatment of backslashes in SEDCMD and SPL regular expression commands has always been finicky. Strict adherence to C-style escape sequences in SPL strings and no special handling in SEDCMD would be preferred, but I think they're doing their best to balance the user experience. ... View more

Hi, This worked for me: ..., "options": { "columnFormat": { "ColumnA": { "align": "> table | seriesByName('ColumnA') | pick(ColumnAAlignConfig)" } } }, ..., "context": { "ColumnAAlignConfig": [ "center" ] }   ... View more

Hi, You can do this pretty easily with an INGEST_EVAL transform: # props.conf [aws:sqs] TRANSFORMS-copy_bodyjson_message_to_raw = copy_bodyjson_message_to_raw # transforms.conf [copy_bodyjson_message_to_raw] INGEST_EVAL = _raw=json_extract(_raw, "BodyJson.Message"), _time=strptime(json_extract(_raw, "timestamp"), "%s%3Q") The example transform also extracts the timestamp from the inner JSON message. If you have other events with sourcetype = aws:sqs, you can use a source stanza in props.conf instead of a source type stanza and reference the SQS input by name: [source::<your_sqs_source_name>] TRANSFORMS-copy_bodyjson_message_to_raw = copy_bodyjson_message_to_raw If you need to retain the original event, you can clone the event into a new source type and modify _raw on the cloned event: # props.conf [source::<your_sqs_source_name>] TRANSFORMS-clone_service_metric = clone_service_metric [aws:sqs:service_metric] TRANSFORMS-copy_bodyjson_message_to_raw = copy_bodyjson_message_to_raw # transforms.conf [clone_service_metric] REGEX = . CLONE_SOURCETYPE = aws:sqs:service_metric [copy_bodyjson_message_to_raw] INGEST_EVAL = _raw=json_extract(_raw, "BodyJson.Message"), _time=strptime(json_extract(_raw, "timestamp"), "%s%3Q")   ... View more

Hi, A better approach might be to index each result as a separate event. This allows Splunk to manage the data more efficiently while satisfying your requirement to keep result fields together. Can you provide a sample of your SCAP report format? ... View more