×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
csperry_splunk
Splunk Employee
Member since: ‎06-23-2017
‎06-05-2020
Community Statistics
Posts 4
Solutions 0
Karma Given 0
Karma Received 4
Member Since ‎06-23-2017
Activity Feed
Topics I've Started
No posts to display.
View All

Re: SEP 14.2 RU1 log format change

by Splunk Employee in All Apps and Add-ons
‎08-23-2019 07:51 AM
‎08-23-2019 07:51 AM
Fixed the bad file name---thanks ... View more

Re: SEP 14.2 RU1 log format change

by Splunk Employee in All Apps and Add-ons
‎08-23-2019 07:50 AM
‎08-23-2019 07:50 AM
That is exactly what I meant. I just typed the wrong file name in. ... View more

Re: SEP 14.2 RU1 log format change

by Splunk Employee in All Apps and Add-ons
‎07-31-2019 11:42 AM
4 Karma
‎07-31-2019 11:42 AM
4 Karma
We took a different approach as the transforms option gave us problems when not all the fields existed all this time in the events we were getting. As such we updated the local/props.conf with the the below and haven't had any problem reported yet: [symantec:ep:security:file] EXTRACT-security_file_fields = \[name\]:(?P<name>.+?)\[class\]:(?P<class>.+?)\[guid\]:(?P<guid>.+?)\[deviceID\]:(?P<deviceID>.+)[\\\\](?P<deviceSN>.+?)\, [symantec:ep:agents:db] FIELDALIAS-user = CURRENT_LOGIN_USER AS user FIELDALIAS-dest = COMPUTER_NAME AS dest FIELDALIAS-ip = ip_address AS dest_ip FIELDALIAS-dest_mac = mac_address AS dest_mac FIELDALIAS-domain = domain_name AS dest_nt_domain FIELDALIAS-product_ver = AGENT_VERSION AS product_version FIELDALIAS-signature_ver = AV_REVISION AS signature_version EVAL-vendor = "Symantec" EVAL-product = "Endpoint Protection" EVAL-vendor_product = "Symantec Endpoint Protection" [symantec:ep:proactive:file] EXTRACT-proactive_downloaded_by = Downloaded\sby\:\s(?<Downloaded_By>.*?[^\,]*) EXTRACT-proactive_prevalance = Prevalence\:\s(?<Prevalence>.*?[^\,]*) EXTRACT-proactive_url_track = URL\sTracking\sStatus\:\s(?<URL_Tracking_Status>.*?[^\,]*) EXTRACT-proactive_first_seen = First\sSeen\:\s(?<First_Seen>.*?[^\,]*) EXTRACT-proactive_sensitivity = Sensitivity\:\s(?<Sensitivity>.*?[^\,]*) EXTRACT-proactive_app_hash = Application\shash\:\s(?<Application_Hash>.*?[^\,]*) EXTRACT-proactive_hash_type = Hash\stype\:\s(?<Hash_Type>.*?[^\,]*) EXTRACT-proactive_app_name = Application\sname\:\s(?<Application_Name>.*?[^\,]*) EXTRACT-proactive_app_ver = Application\sversion\:\s(?<Application_Version>.*?[^\,]*) EXTRACT-proactive_app_type = Application\stype\:\s(?<Application_Type>.*?[^\,]*) EXTRACT-proactive_file_size = File\ssize\s\(bytes\)\:\s(?<File_Size>.*?[^\,]*) EXTRACT-proactive_location = Location\:\s(?<Location>.*?[^\,]*) EXTRACT-proactive_intensive_protection_lvl = Intensive\sProtection\sLevel\:\s(?<Intensive_Protection_Level>.*?[^\,]*) EXTRACT-proactive_cert_issuer = Certificate\sissuer\:\s(?<Certificate_Issuer>.*?[^\,]*) EXTRACT-proactive_cert_signer = Certificate\ssigner\:\s(?<Certificate_Signer>.*?[^\,]*) EXTRACT-proactive_cert_thumbprint = Certificate\sthumbprint\:\s(?<Certificate_Thumbprint>.*?[^\,]*) EXTRACT-proactive_signing_timestamp = Signing\stimestamp\:\s(?<Signing_Timestamp>.*?[^\,]*) EXTRACT-proactive_cert_serial_no = Certificate\sserial\snumber\:\s(?<Certificate_Serial_Number>.*?[^\,]*) EXTRACT-proactive_ip = IP\sAddress\:\s+(?<IP_Address>\d[^\,]+) EXTRACT-proactive_comp_name = Computer\sname\:\s(?<Computer_Name>\w[^\,]+) EXTRACT-proactive_src = Source\:\s(?<Source>\w[^\,]+) EXTRACT-proactive_name = Risk\sname\:\s(?<Risk_Name>\w[^\,]+) EXTRACT-proactive_occurrences = Occurrences\:\s+(?<Occurrences>\d[^\,]*)\,(?<file_path>\w[^\,]+)\,(?<Description>\w*) EXTRACT-proactive_actual_action = Actual\saction\:\s(?<vendor_action>\w[^\,]+) EXTRACT-proactive_requested_action = Requested\saction\:\s(?<Requested_Action>\w[^\,]+) EXTRACT-proactive_secondary_action = Secondary\saction\:\s(?<Secondary_Action>\w[^\,]+) EXTRACT-proactive_event_time = Event\stime\:\s(?<Event_Time>\d[^\,]+) EXTRACT-proactive_insert_time = Inserted\:\s(?<Event_Insert_Time>\d[^\,]+) EXTRACT-proactive_end_time = End\:\s(?<End_Time>\d[^\,]+) EXTRACT-proactive_domain_name = Domain\:\s(?<Domain_Name>\w[^\,]+) EXTRACT-proactive_group_name = Group\:\s(?<Group_Name>\w[^\,]+) EXTRACT-proactive_server_name = Server\:\s(?<Server_Name>\w[^\,]+) EXTRACT-proactive_user_name = User\:\s(?<user>\w[^\,]+) EXTRACT-proactive_src_name = Source\scomputer\:\s(?<Source_Computer_Name>.*?[^\,]*) EXTRACT-proactive_src_ip = Source\sIP\:\s(?<Source_Computer_IP>.*?[^\,]*) EXTRACT-proactive_disposition = Disposition\:\s(?<Disposition>\w[^\,]+) EXTRACT-proactive_download_site = Download\ssite\:\s(?<Download_Site>.*?[^\,]*) EXTRACT-proactive_web_domain = Web\sdomain\:\s(?<Web_Domain>.*?[^\,]*) EXTRACT-proactive_confidence = Confidence\:\s(?<Confidence>.*?[^\,]*) EXTRACT-proactive_action = ^[\d\-\s\:]+\,(?<Risk_Action>.*?[^\,]*) EXTRACT-proactive_detection_type = Detection\stype\:\s+(?<Detection_Type>.*?[^\,]*) EXTRACT-proactive_detection_score = Detection\sscore\:\s(?<Detection_Score>.*?[^\,]*) EXTRACT-proactive_coh_engine_ver = COH\sEngine\sVersion\:\s(?<coh_engine_version>.*?[^\,]*)\,(?<Submission_Recommendation>.*?[^\,]*) EXTRACT-proactive_permitted_app_reason = Permitted\sapplication\sreason\:\s(?<Permitted_Application_Reason>.*?[^\,]*) EXTRACT-proactive_risk_lvl = Risk\sLevel\:\s(?<Risk_Level>.*?[^\,]*) EXTRACT-proactive_risk_type = Risk\stype\:\s(?<Risk_Type>.*?[^\,]*) [symantec:ep:risk:file] EXTRACT-risk_downloaded_by = Downloaded\sby\:\s(?<Downloaded_By>.*?[^\,]*) EXTRACT-risk_prevalance = Prevalence\:\s(?<Prevalence>.*?[^\,]*) EXTRACT-risk_url_track = URL\sTracking\sStatus\:\s(?<URL_Tracking_Status>.*?[^\,]*) EXTRACT-risk_first_seen = First\sSeen\:\s(?<First_Seen>.*?[^\,]*) EXTRACT-risk_sensitivity = Sensitivity\:\s(?<Sensitivity>.*?[^\,]*)\,(?<Reason_For_White_Listing>.*?[^\,]*) EXTRACT-risk_app_hash = Application\shash\:\s(?<Application_Hash>.*?[^\,]*) EXTRACT-risk_hash_type = Hash\stype\:\s(?<Hash_Type>.*?[^\,]*) EXTRACT-risk_co_name = Company\sname\:\s(?<Company_Name>.*?[^\,]*) EXTRACT-risk_app_name = Application\sname\:\s(?<Application_Name>.*?[^\,]*) EXTRACT-risk_app_ver = Application\sversion\:\s(?<Application_Version>.*?[^\,]*) EXTRACT-risk_app_type = Application\stype\:\s(?<Application_Type>.*?[^\,]*) EXTRACT-risk_file_size = File\ssize\s\(bytes\)\:\s(?<File_Size>.*?[^\,]*) EXTRACT-risk_cat_set = Category\sset\:\s(?<Category_Set>.*?[^\,]*) EXTRACT-risk_cat_type = Category\stype\:\s(?<Category_Type>.*?[^\,]*) EXTRACT-risk_location = Location\:\s(?<Location>.*?[^\,]*) EXTRACT-risk_intensive_protection_lvl = Intensive\sProtection\sLevel\:\s(?<Intensive_Protection_Level>.*?[^\,]*) EXTRACT-risk_cert_issuer = Certificate\sissuer\:\s(?<Certificate_Issuer>.*?[^\,]*) EXTRACT-risk_cert_signer = Certificate\ssigner\:\s(?<Certificate_Signer>.*?[^\,]*) EXTRACT-risk_cert_thumbprint = Certificate\sthumbprint\:\s(?<Certificate_Thumbprint>.*?[^\,]*) EXTRACT-risk_signing_timestamp = Signing\stimestamp\:\s(?<Signing_Timestamp>.*?[^\,]*) EXTRACT-risk_cert_serial_no = Certificate\sserial\snumber\:\s(?<Certificate_Serial_Number>.*?[^\,]*) EXTRACT-risk_ip = IP\sAddress\:\s+(?<IP_Address>\d[^\,]+) EXTRACT-risk_comp_name = Computer\sname\:\s(?<Computer_Name>\w[^\,]+) EXTRACT-risk_src = Source\:\s(?<Source>\w[^\,]+) EXTRACT-risk_name = Risk\sname\:\s(?<Risk_Name>\w[^\,]+) EXTRACT-risk_occurrences = Occurrences\:\s+(?<Occurrences>\d[^\,]*)\,(?<file_path>\w[^\,]+)\,(?<Description>\w*) EXTRACT-risk_actual_action = Actual\saction\:\s(?<vendor_action>\w[^\,]+) EXTRACT-risk_requested_action = Requested\saction\:\s(?<Requested_Action>\w[^\,]+) EXTRACT-risk_secondary_action = Secondary\saction\:\s(?<Secondary_Action>\w[^\,]+) EXTRACT-risk_event_time = Event\stime\:\s(?<Event_Time>\d[^\,]+) EXTRACT-risk_insert_time = Inserted\:\s(?<Event_Insert_Time>\d[^\,]+) EXTRACT-risk_end_time = End\:\s(?<End_Time>\d[^\,]+) EXTRACT-risk_update_time = Last\supdate\stime\:\s(?<Last_Update_Time>\d[^\,]+) EXTRACT-risk_domain_name = Domain\:\s(?<Domain_Name>\w[^\,]+) EXTRACT-risk_group_name = Group\:\s(?<Group_Name>\w[^\,]+) EXTRACT-risk_server_name = Server\:\s(?<Server_Name>\w[^\,]+) EXTRACT-risk_user_name = User\:\s(?<user>\w[^\,]+) EXTRACT-risk_src_name = Source\scomputer\:\s(?<Source_Computer_Name>.*?[^\,]*) EXTRACT-risk_src_ip = Source\sIP\:\s(?<Source_Computer_IP>.*?[^\,]*) EXTRACT-risk_disposition = Disposition\:\s(?<Disposition>\w[^\,]+) EXTRACT-risk_download_site = Download\ssite\:\s(?<Download_Site>.*?[^\,]*) EXTRACT-risk_web_domain = Web\sdomain\:\s(?<Web_Domain>.*?[^\,]*) EXTRACT-risk_confidence = Confidence\:\s(?<Confidence>.*?[^\,]*) EXTRACT-risk_action = ^[\d\-\s\:]+\,(?<Risk_Action>.*?[^\,]*) [symantec:ep:security:file] EXTRACT-security_vendor_severity = ^[\d\-\s\:]+\,(?<vendor_severity>.*?[^\,]*)\,(?<Host_Name>\w[^\,]+) EXTRACT-security_event_desc = Event\sDescription(.*?)(?:\"\,|\s\w+\:|\s+\[\w+\]\:) EXTRACT-security_domain_name = Domain\:\s(?<Domain_Name>\w[^\,]+) EXTRACT-security_location = Location\:\s(?<Location>.*?[^\,]*) EXTRACT-security_begin_time = Begin\:\s(?<Begin_Time>\d[^\,]+) EXTRACT-security_end_time = End\:\s(?<End_Time>\d[^\,]+) EXTRACT-security_occurrences = Occurrences\:\s+(?<Occurrences>\d[^\,]*) EXTRACT-security_user_name = User\:\s(?<user>\w[^\,]+) EXTRACT-security_local_pt = Local\sPort\:\s+(?<Local_Port>\d[^\,]*) EXTRACT-security_remote_pt = Remote\sPort\:\s+(?<Remote_Port>\d[^\,]*) EXTRACT-security_local_ip = Local\:\s+(?<Local_Host_IP>\d[^\,]+) EXTRACT-security_remote_name = Remote\s\Host\sName\:\s(?<Remote_Host_Name>.*?[^\,]*) EXTRACT-security_remote_ip = Remote\sHost\sIP\:\s(?<Remote_Host_IP>\d[^\,]+) EXTRACT-security_local_mac = Local\sHost\sMAC\:\s(?<Local_Host_MAC>\w[^\,]+) EXTRACT-security_intrusion_url = Intrusion\sURL\:\s(?<Intrusion_URL>.*?[^\,]*) EXTRACT-security_intrusion_payload_url = Intrusion\sPayload\sURL\:\s(?<Intrusion_Payload_URL>.*?[^\,]*) EXTRACT-security_md5 = MD\-5\:\s(?<MD_5>.*?[^\,]*) EXTRACT-security_sha256 = SHA\-256\:\s(?<SHA_256>.*?[^\,]*) EXTRACT-security_signature_id = CIDS\sSignature\sID\:\s(?<CIDS_Signature_ID>.*?[^\,]*) EXTRACT-security_signature_string = CIDS\sSignature\sstring\:\s(?<CIDS_Signature_String>.*?[^\,]*) EXTRACT-security_signature_subid = CIDS\sSignature\sSubID\:\s(?<CIDS_Signature_SubID>.*?[^\,]*) EXTRACT-security_app_name = Application\:\s(?<Application_Name>.*?[^\,]*) EXTRACT-security_remote_mac = Remote\sHost\sMAC\:\s(?<Remote_Host_MAC>\d[^\,]+)\,(?<Traffic_Direction>\w[^\,]+)\,(?<Network_Protocol>\d[^\,]*)\,(?<Hack_Type>\w*) EXTRACT-security_app_path = Application\spath\:\s(?<Application_Path>.*?[^\,]*) EXTRACT-security_sid = \[SID\:\s(?<SID>\d[^\]]+) EXTRACT-security_audit = Audit\:\s(?<Audit>.*?[^\,.]*)(?=.\s|\,) EXTRACT-security_requirement = Requirement\:\s(?<Requirement1>.*?[^\,]*)\sRequirement\:\s(?<Requirement2>.*?[^\,]*) [symantec:ep:traffic:file] EXTRACT-traffic_vendor_severity = ^[\d\-\s\:]+\,(?<vendor_severity>.*?[^\,]*)\,(?<Host_Name>\w[^\,]+) EXTRACT-traffic_domain_name = Domain\:\s(?<Domain_Name>\w[^\,]+) EXTRACT-traffic_location = Location\:\s(?<Location>.*?[^\,]*) EXTRACT-traffic_begin_time = Begin\:\s(?<Begin_Time>\d[^\,]+) EXTRACT-traffic_end_time = End\:\s(?<End_Time>\d[^\,]+) EXTRACT-traffic_occurrences = Occurrences\:\s+(?<Occurrences>\d[^\,]*) EXTRACT-traffic_user_name = User\:\s(?<user>\w[^\,]+) EXTRACT-traffic_local_pt = Local\sPort\:\s+(?<Local_Port>\d[^\,]*) EXTRACT-traffic_remote_pt = Remote\sPort\:\s+(?<Remote_Port>\d[^\,]*) EXTRACT-traffic_remote_name = Remote\s\Host\sName\:\s(?<Remote_Host_Name>.*?[^\,]*) EXTRACT-traffic_remote_ip = Remote\sHost\sIP\:\s(?<Remote_Host_IP>\d[^\,]+) EXTRACT-traffic_local_mac = Local\sHost\sMAC\:\s(?<Local_Host_MAC>\w[^\,]+) EXTRACT-traffic_md5 = MD\-5\:\s(?<MD_5>.*?[^\,]*) EXTRACT-traffic_sha256 = SHA\-256\:\s(?<SHA_256>.*?[^\,]*) EXTRACT-traffic_app_name = Application\:\s(?<Application_Name>.*?[^\,]*) EXTRACT-traffic_local_ip = Local\sHost\:\s+(?<Local_Host_IP>\d[^\,]+) EXTRACT-traffic_remote_mac = Remote\sHost\sMAC\:\s(?<Remote_Host_MAC>\d[^\,]+)\,(?<Network_Protocol>\d[^\,]*)\,(?<Traffic_Direction>\w[^\,]+) EXTRACT-traffic_vendor_action = Action\:\s(?<vendor_action>\w[^\,]+) EXTRACT-traffic_rule_name = Rule\:\s(?<Rule_Name>\w[^\,]+) ... View more

Re: How to set a multi drop-down value from JavaSc...

by Splunk Employee in Splunk Search
‎06-23-2017 07:21 AM
‎06-23-2017 07:21 AM
I know this is old post, but I've run into this and had to work out an answer. I ended up listening to the on change event for the searchmanager being used by the dropdown, then parse the array (of arrays) returned in its data().rows. I'm still trying to figure out the setting of selected value via JS, but one thing at a time right. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:03 AM
Karma from