Hi users, Probably a bit silly question, but because I've never seen that setup in any of Google searches, I have that simple question: I want to use a forwarder to forward logs from about 50 Windows machines. Would that single (universal forwarder) be able to receive and forward logs from all those machines? Would that be an acceptable setup? Regards ... View more

Hi all, I am filtering some logs came from Nessus in order to identify vulnerable machines based on their OS, and the issue I have is when a host's OS is not adequately identified resulting in many "os" fields. An example is the below: start_time="Mon Feb 16 03:56:07 2015" end_time="Mon Feb 16 03:57:42 2015" os="Microsoft Windows 2000" os="Microsoft Windows XP for Embedded Systems" os="Microsoft Windows XP" The query that I created for that (which only works sufficiently when 1 OS is found) is the following: sourcetype=nessus severity!=informational | rex "start_time=\"(?<start>.*)\"\send.*\s\sos=\"(?<OS>.*)\"" What I would like ideally to do, is to just find a way to filter out the " (double quote" symbol from within the extracted field. This is because apart from Windows machines, there are other printers and access points that are interpreted as many other mixed OSs. So, it should be something like this: sourcetype=nessus severity!=informational | rex "start_time=\"(?<start>.*)\"\send.*\s\sos=\"(?<OS>.*[^\"])\"" but it doesn't work. Any thoughts? Regards, Evang Update: Hi MuS, Okay, here we are. I guess I haven't stated my problem correctly. I do not want to remove the double quotes, actually, I want to only keep the first occurence of OS field in the rare cases that more than one appears! Here is what I managed to do with sed, but I am not there quite yet. sourcetype=nessus severity!=informational earliest=-5w@w1 latest=now|rex field=os mode=sed "s/.*\(os=\"[^\"]*\"\).*$/\1/g" | rex ".*os=\"(?P<OS>.*)\"\s.*\"" Any suggestions? 🙂 Regards, Evang ... View more

Hi users, I am trying to color my bar charts to help a user's eye to focus on a more meaningful way to search output. While doing some searches about that I only found that one can change the colors of a search amending js scripts which is not my speciality. Is there any other to do while extracting the fields? Here is a sample code: sourcetype=nessus severity_id!=0 earliest=-2mon@mon latest=now | timechart span=1mon dc(cve) by severity Since Nessus assigns vulnerabilities into a severity which can be "critical", "high", "medium" and "low", my chart eventually is drawn up by 4 color bars. How to color bars based on a field value? Thanks, Evang ... View more

Hi users, I automatically import some log-files to Splunk using a script. The naming convention for those files is somehow arbitrary. My aim is to produce a panel depicting the totals of the logs for each file in a stacked manner. Till here we are good. The problem is that the log-file names are pretty awkward and long given the fact that they also reveal the complete path as to where they came from. I want to present to the viewer only the most intuitive part of the log-file name. Here is what I managed to do but it doesn't work as expected. sourcetype=nessus source=*SNMP* earliest=-1mon@mon latest=now signature_id=41028| rex "source.*SNMP public community \((?<area>.*)\)" |chart count(dest_dns) by area I assume that the "source" of the file is not appeared within the log itself, maybe. And that's why I can't filter it with rex Are you aware of any other technique that might help me to display only a particular part of the source-name? Regards, Evang ... View more