Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About gvmorley
gvmorley
Contributor
Member since:
10-03-2012
06-08-2021
Community Statistics
| Posts | 86 |
| Solutions | 16 |
| Karma Given | 5 |
| Karma Received | 41 |
| Member Since | 10-03-2012 |
Activity Feed
- Got Karma for Change & Condition within From Text Inputs. 01-28-2022 08:07 AM
- Got Karma for Re: Regex field != expression not matching. 08-30-2021 08:31 AM
- Got Karma for Fortigate TA Config Queries. 01-13-2021 07:12 AM
- Got Karma for Re: Regex field != expression not matching. 06-25-2020 10:01 AM
- Karma Re: Change & Condition within From Text Inputs for jeffland. 06-05-2020 12:48 AM
- Karma Re: Why are my multi-line events getting broken in the middle of a string? for tmarrazzo. 06-05-2020 12:48 AM
- Karma Re: rex command help for jkat54. 06-05-2020 12:48 AM
- Karma Re: Using IF with multiple conditions for woodcock. 06-05-2020 12:48 AM
- Got Karma for Re: How do I use a regular expression to extract all 22 entries of a Message field in a multiline JSON data?. 06-05-2020 12:48 AM
- Got Karma for Re: How do I use a regular expression to extract all 22 entries of a Message field in a multiline JSON data?. 06-05-2020 12:48 AM
- Got Karma for Re: How do I use a regular expression to extract all 22 entries of a Message field in a multiline JSON data?. 06-05-2020 12:48 AM
- Got Karma for Re: Is it possible to run Splunk Light with 2 indexers and a search head?. 06-05-2020 12:48 AM
- Got Karma for Re: Tried DELIMS, REPORT but cannot get neither working. 06-05-2020 12:48 AM
- Got Karma for Re: Tried DELIMS, REPORT but cannot get neither working. 06-05-2020 12:48 AM
- Got Karma for Re: How to extract particular value using regular expression?. 06-05-2020 12:48 AM
- Got Karma for Re: How to sort my table columns?. 06-05-2020 12:48 AM
- Got Karma for Re: How do I create a table from 3 different lookup table and get the data to line up?. 06-05-2020 12:48 AM
- Got Karma for Re: DateTime Convertion. 06-05-2020 12:48 AM
- Got Karma for Re: DateTime Convertion. 06-05-2020 12:48 AM
- Got Karma for Re: Unpivot multi-value fields. 06-05-2020 12:48 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 1 | |||
| 0 | |||
| 0 | |||
| 2 | |||
| 3 | |||
| 0 | |||
| 6 | |||
| 0 | |||
| 1 |
03-20-2019
08:28 PM
Thanks for the quick response. And thanks again for supporting Splunk (and Splunkers) with your TA. It's greatly appreciated. G.
... View more
03-20-2019
01:34 AM
1 Karma
This is one for the folks at Fortigate regarding their TA.
I had a couple of queries on the latest version (1.6.0), specifically around the transforms.conf
Looking at the force_sourcetype_fgt_traffic stanza:
[force_sourcetype_fgt_traffic]
DEST_KEY = MetaData:Sourcetype
REGEX = devid=\"?F[G|W|6K].+type=\"?traffic
FORMAT = sourcetype::fgt_traffic
I'm 99% sure that you can't do alternation inside a character class. So [G|W|6K] actually means any character from the set GW6K or the literal | .
Was the intention that it should actually be (?:G|W|6K) , which would be a non-capturing group of either G , W or 6K ?
Secondly, you might want to reconsider the structure of these a bit. Taking that same stanza as above, it would actually match a utm event like this:
date=2019-03-15 time=05:12:28 logver=52 timestamp=1552626748 tz="UTC+0" devname="example-dev" devid="FG600C9999999999" logid="12345" type="utm" subtype="app-ctrl" eventtype="app-ctrl-all" level="information" vd="root" appid=12345 user="" srcip=10.1.1.1 srcport=64224 srcintf="INTERNAL" dstip=8.8.8.8 dstport=80 dstintf="EXTERNAL" proto=6 service="HTTP" policyid=42 sessionid=158758809 applist="standard" appcat="Web.Others" app="HTTP.BROWSER" action="pass" hostname="test.example.com" url="/net/WebService.aspx?type=traffic&Password=fred8" msg="Web.Others: HTTP.BROWSER," apprisk="medium"
It's the first of the force transforms tried against fgt_log . So even though the event has type="utm" , it matches later in the event due to data in the url field. So the result would be that this event would be sourcetype=fgt_traffic . Now, as the remaining force transforms continue to be applied, it would probably then match the force_utm one later and then get set to that. 🙂 But it would probably be better to get it set correctly once.
One approach might be to combine your 3 force stanzas into one. So look to do this:
default/props.conf
[fgt_log]
TRANSFORMS-force_sourcetype_fgt = force_sourcetype_fgt
default/transforms.conf
[force_sourcetype_fgt]
SOURCE_KEY = _raw
DEST_KEY = MetaData:Sourcetype
REGEX = devid=\"?F(?:G|W|6K).+type="?(traffic|utm|event)
FORMAT = sourcetype::fgt_$1
You also get the advantage that Splunk only has to try the one stanza / regex per event, as opposed to three.
Finally, although it's a bit beyond the scope here, so may also want to look to anchor the regex and consider some backtracking control.
This proved more performant for a lot of my testing:
[force_sourcetype_fgt]
SOURCE_KEY = _raw
DEST_KEY = MetaData:Sourcetype
REGEX = ^.+?\sdevid=(*COMMIT)\"?F(?:G|W|6K).+?\stype=(*COMMIT)\"?(traffic|utm|event)
FORMAT = sourcetype::fgt_$1
The (*COMMIT) is a way of saying, "It you get this far in the match, but fail later, don't backtrack past this".
So the regex above is saying, "Going from the start of the line ( ^ ), look for any character 1 or more times (lazily). When you find devid= , then we know we're in the right place. If our F(?:G|W|6K) doesn't match, then don't go back and try to find it anywhere else. Once we got to devid= we were committed - there's no going back now..."
Basically, it's a handy way to stop the regex being tried later in the event. But I'm not regex guru, so do some testing and see how it works. It just proved useful for us in our environment.
The main one is really to see if you need to fix-up the alternation in the character class and possibly combine the stanzas in a future TA release.
... View more
06-12-2018
12:24 AM
Hi all,
Would anyone be able to elaborate on what these settings mean in user-prefs.conf
[general]
render_version_messages =
checked_new_maintenance_version =
checked_new_version =
new_maintenance_version =
new_version =
They are not documented in the online Splunk Docs: https://docs.splunk.com/Documentation/Splunk/latest/Admin/User-prefsconf
And they're not in the spec file in: $SPLUNK_HOME/etc/system/README/
I'd would be good to know if setting:
[general]
render_version_messages = 0
Would disable the display of the 'New version available' in the Messages drop-down:
But in general, it would be good to have these settings documented. 😉
... View more
- Tags:
- doc
05-11-2017
11:56 PM
HI,
Doh. I feel like a bit of an idiot... After re-downloading multiple times and getting nowhere, I cleared my Browser Cache.
Yeah, that fixed it.
Appologies to the Splunk folks!
... View more
05-05-2017
01:19 AM
One for the Splunk folks...
I was keen to check out the updates to the 6.x Dashboard Examples App today, as version 6.6.0 was released.
But it looks like there are a couple of issues... A number of the dashboard xml files are either missing, or incorrectly referenced from the Examples (contents.xml) page.
Here's a screenshot:
Taking the 'Drilldown Single Value' link as an example. The linking URL is: /simple_xml_examples/simple_drilldown_single
A quick look in the ../default/data/ui/views directory shows that this is missing. Heres a snippet:
├── simple_display_controls_example.xml
├── simple_drilldown_no_action.xml
├── simple_drilldown_to_custom_url.xml
├── simple_drilldown_to_dashboard.xml
├── simple_drilldown_to_report.xml
├── simple_drilldown_to_search.xml
├── simple_drilldown_to_tokens.xml
├── simple_environment_tokens.xml
Might be one to check out before too many people download the updated app.
Looking forward to version 6.6.1
Thanks.
... View more
04-18-2017
01:41 PM
1 Karma
Hi,
You should just be able to do a positive lookahead and an empty capture group. So:
[ofx]
SHOULD_LINEMERGE = False
LINE_BREAKER = (?m)(?=^Event logged at {[\d;]+})()
I did a quick test and it looked fairly successful:
Hopefully this gets you closer to what you're looking for.
... View more
04-18-2017
12:54 PM
Hi,
Absolutely. You simply need to specifiy the earliest_time and latest_time as their epoch values.
So for your example, you could do something like this in your times.conf :
[my_custom_time]
label = January 1st 2017
earliest_time = 1483228800
latest_time = 1483315199
If you want to work out epoch times, there are many online tools which you could use.
Or, Splunk can always help you. Here's an example search, which you could change as required:
| makeresults
| fields - _time
| eval t1="01/01/2017:00:00:00", t2="01/01/2017:23:59:59"
| eval t1_epoch=strptime(t1,"%d/%m/%Y:%H:%M:%S"), t2_epoch=strptime(t2,"%d/%m/%Y:%H:%M:%S")
I hope this helps.
... View more
04-18-2017
12:37 PM
1 Karma
Hi,
Have a go with this for your props.conf
[qpbatch]
TIME_PREFIX = ^
TIME_FORMAT = %Y-%m-%d %H:%M:%S,%3Q
MAX_TIMESTAMP_LOOKAHEAD = 23
SHOULD_LINEMERGE = True
BREAK_ONLY_BEFORE_TIME = True
TRUNCATE = 10000
This way you're telling Splunk that the timestamp starts at the beginning of lines and the exact format to look for.
I did a quick test and got this:
See if that helps you get closer to a solution.
... View more
03-22-2017
11:39 PM
Hi,
Sorry for the delayed reply.
If you've got it working for 1 IP, then that's a great start.
My guess it that you may need to amend your search slightly with regards to where you are using the token.
Assuming you select a single IP in your dropdown (for example 1.1.1.1), your eval becomes:
| eval TrueClientIP=1.1.1.1
But if you have an 'All' label, with the value '*', then this mean your eval becomes:
| eval TrueClientIP=*
Since '*' is not an IP address, it's not going to work with the iplocation command.
Perhaps you could use the token in the initial search string. So something like:
sourcetype=iis_dominos_online_adv CookieData="\"UNKNOWN\"" RedirectTo="\"UNKNOWN\"" TrueClientIP=$PublicIP_tkn$
This would then return the single result (assuming the IP from your dropdown is unique), or return multiple results if you select 'All/*'.
See if that gets you a bit closer to what you're looking for.
... View more
03-14-2017
09:20 AM
Hi,
I'm pleased to hear that you've got a workaround.
But you should still be able to get the EXTRACTs working; there's nothing wrong with your approach.
As such, it might be worth raising a Support Case with Splunk to try and get to the bottom of what's going on.
Just incase there is a bug, or something else is happening within your setup. You don't want to come across it down the line!
... View more
03-13-2017
10:56 PM
Hi,
Looks like the logging format for these events is a bit of a pain!
I'm not 100% sure your:
(?<_KEY_1>\w+)(:\s)(?<_VAL_1>[a-zA-Z0-9\\]+)(U|E)
Is going to work for you? What if one of the values you're trying to capture (like a Username), ends in a U or and E?
I also noticed that the Keys in the 'Event Data' are different in the two event samples. You're also going to want to cater for this and the associated spaces. The default Splunk Key/Value extractor is only going to get you:
Profile=iOS
Whereas you probably want:
Profile=iOS Visual Privacy Webclip
Ultimately you may just need to keep refining your regex(s) until you cater for 100% of your data. I get that this is pretty dull...
And whilst I'd always go with the 'keep it simple' wherever possible, you may end up with something slightly more complex.
For example, I don't like it, but this below works for both of your sample data events:
| makeresults
| eval _raw="Mar 9 13:52:33 10.0.2.24 March 09 19:52:33 AirWatch AirWatch Syslog Details are as follows Event Type: ConsoleEvent: DeviceDataModfiedUser: domain\JoeUserEvent Source: ServerEvent Module: DashboardEvent Category: DeviceEvent Data: Device=User iPhone iOS 10.2.1 X0XX;DeviceData=OwnerGroup;LoginSessionID=xx1xxx0xxxxx"
| append
[| makeresults
| eval _raw="Mar 9 13:52:32 10.0.2.24 March 09 19:52:32 AirWatch AirWatch Syslog Details are as follows Event Type: DeviceEvent: RemoveProfileRequestedUser: sysadminEvent Source: ServerEvent Module: DashboardEvent Category: CommandEvent Data: Profile=iOS Visual Privacy Webcli"]
| fields - _time
| rex "Event\sType:\s(?<EventType>[^\s]+)Event:\s(?<Event>[^\s]+)User:\s(?<User>[^\s]+)Event\sSource:\s(?<EventSource>[^\s]+)Event\sModule:\s(?<EventModule>[^\s]+)Event\sCategory:\s(?<EventCategory>[^\s]+)Event\sData:\s(?<EventData>(?:(?:Device=(?<Device>[^;\r\n]+);?)|(?:DeviceData=(?<DeviceData>[^;\r\n]+);?)|(?:LoginSessionID=(?<LoginSessionID>[^;\r\n]+);?)|(?:Profile=(?<Profile>[^;\r\n]+);?))*)"
| table EventType Event User EventSource EventModule EventCategory EventData Device DeviceData LoginSessionID Profile
You can play and test with it here: https://regex101.com/r/GEpAOP/1/
I.e. You may need to expand the (?<EventData>) grouping to cater for different Keys in that section.
Good luck - I hope you find a much simpler way!
... View more
03-13-2017
09:03 PM
Great to hear that you got it working!
If you're happy that the question is resolved, just accept this as the answer, then it gets marked a 'done' when others are looking.
Happy Splunking!
... View more
03-12-2017
11:37 PM
1 Karma
Hi,
You could try using a combination of iplocation and geostats to generate a report.
Here's an example.
This first part is just to create a result to test with (you'd use the actual data from your search):
| makeresults
| fields - _time
| eval TrueClientIP="222.205.40.26"
You can then pipe the results to the iplocation command, which will lookup that latitude and longitude:
| iplocation TrueClientIP
Which returns:
Then pipe this to geostats with the aggregation function. So something like this:
| geostats count by TrueClientIP
If you then go to the Visualization tab and select the 'Cluster Map' chart, you should get something like this:
Have a go with those commands and see how you get on.
... View more
03-11-2017
06:35 PM
Hi,
One approach you could try is to rule out the 'unknown' characters problem by trying your extractions as rex commands first.
I tried this with:
| makeresults | fields - _time
| eval _raw="Mar 9 13:52:33 10.0.2.24 March 09 19:52:33 AirWatch AirWatch Syslog Details are as follows Event Type: ConsoleEvent: DeviceDataModfiedUser: domain\JoeUser Source: ServerEvent Module: DashboardEvent Category: DeviceEvent Data: Device=User iPhone iOS 10.2.1 X0XX;DeviceData=OwnerGroup;LoginSessionID=xx1xxx0xxxxx"
| rex "Device=(?P<Device>[^;]+);"
| rex "DeviceData=(?P<DeviceData>[^;]+);"
| rex "Event:\s+(?P<Event>\w+)User"
| rex "Category:\s+(?P<EventCategory>\w+)Event"
| rex "Module:\s+(?P<EventModule>\w+)Event"
| rex "Event\sType:\s+(?P<EventType>\w+)Event"
| rex "User:\s+(?P<User>[^\s]+)"
| rex "Source:\s+(?P<EventSource>\w+)Event"
A number of your regex statements were slightly off, so I've modified them. This now returns:
I'm not 100% sure it would be the cause, but I'd avoid using the 'space' character in the regex, especially when you put them in props.conf I always go with the \s just to be explicit.
For example. I've avoid this:
EXTRACT-EventType = Event Type:\s+(?P<EventType>\S+)Event
And go instead with:
EXTRACT-EventType = Event\sType:\s+(?P<EventType>\w+)Event
It should be fine, it's more just force of habit for me.
If the rex command work but then don't when you move them over to the props.conf file, you can check the config for that sourcetype with btool .
For example, if the sourcetype for your data was 'extract-test' you could run the command:
./splunk btool props list extract-test --debug
This will give you all of the props config for that sourcetype and which file the config is coming from. It would look a bit like this:
/Splunk/etc/system/local/props.conf [extract-test]
/Splunk/etc/system/default/props.conf ANNOTATE_PUNCT = True
/Splunk/etc/system/default/props.conf AUTO_KV_JSON = true
/Splunk/etc/system/default/props.conf BREAK_ONLY_BEFORE =
/Splunk/etc/system/default/props.conf BREAK_ONLY_BEFORE_DATE = True
/Splunk/etc/system/default/props.conf CHARSET = UTF-8
/Splunk/etc/system/default/props.conf DATETIME_CONFIG = /etc/datetime.xml
/Splunk/etc/system/local/props.conf EXTRACT-Device = Device=(?P<Device>[^;]+);
/Splunk/etc/system/local/props.conf EXTRACT-DeviceData = DeviceData=(?P<DeviceData>[^;]+);
/Splunk/etc/system/local/props.conf EXTRACT-Event = Event:\s+(?P<Event>\w+)User
/Splunk/etc/system/local/props.conf EXTRACT-EventCategory = Category:\s+(?P<EventCategory>\w+)Event
/Splunk/etc/system/local/props.conf EXTRACT-EventModule = Module:\s+(?P<EventModule>\w+)Event
/Splunk/etc/system/local/props.conf EXTRACT-EventSource = Source:\s+(?P<EventSource>\w+)Event
/Splunk/etc/system/local/props.conf EXTRACT-EventType = Event\sType:\s+(?P<EventType>\w+)Event
/Splunk/etc/system/local/props.conf EXTRACT-User = User:\s+(?P<User>[^\s]+)
/Splunk/etc/system/default/props.conf HEADER_MODE =
/Splunk/etc/system/default/props.conf LEARN_MODEL = true
/Splunk/etc/system/default/props.conf LEARN_SOURCETYPE = true
/Splunk/etc/system/default/props.conf LINE_BREAKER_LOOKBEHIND = 100
/Splunk/etc/system/default/props.conf MATCH_LIMIT = 100000
/Splunk/etc/system/default/props.conf MAX_DAYS_AGO = 2000
/Splunk/etc/system/default/props.conf MAX_DAYS_HENCE = 2
/Splunk/etc/system/default/props.conf MAX_DIFF_SECS_AGO = 3600
/Splunk/etc/system/default/props.conf MAX_DIFF_SECS_HENCE = 604800
/Splunk/etc/system/default/props.conf MAX_EVENTS = 256
/Splunk/etc/system/default/props.conf MAX_TIMESTAMP_LOOKAHEAD = 128
/Splunk/etc/system/default/props.conf MUST_BREAK_AFTER =
/Splunk/etc/system/default/props.conf MUST_NOT_BREAK_AFTER =
/Splunk/etc/system/default/props.conf MUST_NOT_BREAK_BEFORE =
/Splunk/etc/system/default/props.conf SEGMENTATION = indexing
/Splunk/etc/system/default/props.conf SEGMENTATION-all = full
/Splunk/etc/system/default/props.conf SEGMENTATION-inner = inner
/Splunk/etc/system/default/props.conf SEGMENTATION-outer = outer
/Splunk/etc/system/default/props.conf SEGMENTATION-raw = none
/Splunk/etc/system/default/props.conf SEGMENTATION-standard = standard
/Splunk/etc/system/default/props.conf SHOULD_LINEMERGE = True
/Splunk/etc/system/default/props.conf TRANSFORMS =
/Splunk/etc/system/default/props.conf TRUNCATE = 10000
/Splunk/etc/system/default/props.conf detect_trailing_nulls = false
/Splunk/etc/system/default/props.conf maxDist = 100
/Splunk/etc/system/default/props.conf priority =
/Splunk/etc/system/default/props.conf sourcetype =
Have a go with some of the tweaked regular expressions via rex first, then move them into props.conf , restart then check with btool and see where you're at.
Your approach is fine and should work, there's just going to be a small niggle tripping you up somewhere!
With the regex and props.conf above, I think I get the result you're looking for in my test:
... View more
03-10-2017
09:59 PM
Hi,
I'm not sure if I can give you the answer that you're looking for, but I might be able to point you in the direction of some places to look.
I think when posting your question, you didn't quite get all the formatting as code so it's a bit broken. No worries, we'll try to figure it out.
Some things to note:
You can't use <fieldset></fieldset> tags within the <drilldown></drilldown> Event Handler.
Check this out in the docs: http://docs.splunk.com/Documentation/Splunk/latest/Viz/EventHandlerReference#drilldown
The <condition></condition> element works slightly differently in <drilldown></drilldown> . You can't use it with a match command.
Have a look here: http://docs.splunk.com/Documentation/Splunk/latest/Viz/EventHandlerReference#Condition_.28drilldown.29
One strategy you could try would be to create an <input type="dropdown"></input> and populate it with a search that lists all of your HostNames
Then you could use <change></change> and <condition></condition> elements to create your Prefixhost token.
Alternatively, if you want to use the <table></table> and <drilldown></drilldown> approach, you could eval the correct Macro Name into the search.
Then when your users click on a row, you can take that Macro Name token and use it to create later searches.
Like this:
I know that this may not be exactly what you're looking for, but it might spark some ideas.
Finally, if you haven't come across it yet in your Splunk journey, check out the excellent 'Dashboard Examples App' on Splunkbase. Install it on a test system, and use it as a reference for what's possible. You can find it here: https://splunkbase.splunk.com/app/1603/
Best of luck.
Here's the code for that example, which you could paste into a new Dashboard just to see what I mean
(You can ignore the search , that was just to create some data to work with):
<dashboard>
<label>Test - Table Drilldown</label>
<row>
<panel>
<title>My Data</title>
<table>
<search>
<query>
<![CDATA[| makeresults
| fields - _time
| eval HostName=mvappend("CH1234", "/1234", "ATC1234", "L1234", "1CP", "W1234")
| mvexpand HostName
| eval Time=strftime(time(),"%H:%M:%S %d/%m/%Y"), OtherTime=strftime(time()+121,"%H:%M:%S %d/%m/%Y")
| eval Environment=case(match(HostName,"^CH.*"),"US_Macro",match(HostName,"^/\d.*|^ATC.*|^L.*|^\dCP.*|^W.*"),"AD_Macro")
| table HostName Time OtherTime Environment
]]>
</query>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">true</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<drilldown>
<set token="my.click.name">$click.name$</set>
<set token="my.click.value">$click.value$</set>
<set token="my.click.name2">$click.name2$</set>
<set token="my.click.value2">$click.value2$</set>
<set token="my.row.hostname">$row.HostName$</set>
<set token="my.row.time">$row.Time$</set>
<set token="my.row.othertime">$row.OtherTime$</set>
<set token="my.row.environment">$row.Environment$</set>
</drilldown>
</table>
</panel>
</row>
<row>
<panel>
<html>
<div>click.name = $my.click.name$</div>
<div>click.value = $my.click.value$</div>
<div>click.name2 = $my.click.name2$</div>
<div>click.value2 = $my.click.value2$</div>
<div>row.HostName = $my.row.hostname$</div>
<div>row.Time = $my.row.time$</div>
<div>row.OtherTime = $my.row.othertime$</div>
<h3>row.Environment = $my.row.environment$</h3>
<h3>Run this search: $my.row.environment$_Process($my.row.hostname$)</h3>
</html>
</panel>
</row>
</dashboard>
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-08-2021
01:07 AM
|
Karma from
