I have a path (and a variable file_path) that looks like this: C:\\\\Program Files\\\\theapp\\\\the app\\\\Tools\\\\IR\\\\somefolder\\\\somefile.exe And I'm trying to retrieve the file name somefile.exe I created a Field transformation with the following info, but I'm not getting the field file_name to populate name: file_name Regular expression: (?P<file_name>[^\\]+)$ Format: Source Key: file_path ... View more

My ironport logs are not getting parsed incorrectly into the Email data model. The logs all come individually and as seperate events for each MID. I installed the add-on and that created some of the needed CIM and fields, including internal_message_id. The search index=email sourcetype="cisco:esa:textmail" | transaction internal_message_id Give me the email as one unit. When I run: | tstats values(All_Email.src_user) values(All_Email.action) values(All_Email.recipient) values(All_Email.src) FROM datamodel=Email WHERE sourcetype="cisco:esa:textmail" BY All_Email.subject I get the subject, however the other fields are "unknown". I created a Transaction Dataset to combine the fields on internal_message_id but that didn't fix anything. ... View more

I have a JSON that is for emails like the following: { [-] computer: { [+] } date: 2018-03-08T11:42:57+00:00 event_type_id: 553648152 timestamp: 1520509377 timestamp_nanoseconds: 893334279 } Note: the time above is in UTC. However, my time is set to PST and so it looks like I'm getting the index time, timestamp of "11/14/17 6:50:49.000 PM" This is what's in my props.conf: [cisco:amp:json] SHOULD_LINEMERGE = true pulldown_type = 1 category = Splunk App Add-on Builder LINE_BREAKER = ([\r\n]*)\{\"event_type\"\: TIME_PREFIX = timestamp:\s* TIME_FORMAT = %s KV_MODE = json TRANSFORMS-amp_hostname = force_amp_hostname EXTRACT-amp_hostname = \"hostname\"\:\s*\"(?<dest>[^\"]*) EXTRACT-amp_file_name = \"file_name\"\:\s*\"(?<file_name>[^\"]*) EXTRACT-amp_file_path = \"file_path\"\:\s*\"(?<file_path>[^\"]*) EXTRACT-amp_user = \"user\"\:\s?\"(?<user>[^\"]+) EVAL-signature = EVAL-action = EVAL-file_hash = BREAK_ONLY_BEFORE = ([\r\n]*)\{\"event_type\"\: DATETIME_CONFIG = NO_BINARY_CHECK = true disabled = false INDEXED_EXTRACTIONS = json ... View more

I have a search: | tstats count WHERE earliest=-2d@d latest=now index=* by index, _time | makecontinuous span=1h _time | fillnull value=0 count If I search it by all indexes "*", no empty fields are shown. If I search by a specific index that I know in fact is missing items, I get 0 for the count, and no index listed in the table. ... View more