Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About kentcoble
kentcoble
Explorer
Member since:
12-13-2017
06-05-2020
Community Statistics
| Posts | 10 |
| Solutions | 0 |
| Karma Given | 4 |
| Karma Received | 1 |
| Member Since | 12-13-2017 |
Activity Feed
- Karma Re: "Bad regex" warning after upgrading from Enterprise 6.5.1 to 7.0.1 for agadayev. 06-05-2020 12:49 AM
- Karma Re: Guide for creating Add-ons to deploy to (Universal)Forwarders? for MuS. 06-05-2020 12:49 AM
- Karma Re: Guide for creating Add-ons to deploy to (Universal)Forwarders? for MuS. 06-05-2020 12:49 AM
- Karma Re: Splunk script execution inputs.conf Interval ? for harsmarvania57. 06-05-2020 12:49 AM
- Got Karma for "Bad regex" warning after upgrading from Enterprise 6.5.1 to 7.0.1.. 06-05-2020 12:49 AM
- Posted Re: How do I trim field names in a custom Add-On? on Deployment Architecture. 04-23-2018 09:47 AM
- Posted How do I trim field names in a custom Add-On? on Deployment Architecture. 04-23-2018 09:44 AM
- Tagged How do I trim field names in a custom Add-On? on Deployment Architecture. 04-23-2018 09:44 AM
- Tagged How do I trim field names in a custom Add-On? on Deployment Architecture. 04-23-2018 09:44 AM
- Tagged How do I trim field names in a custom Add-On? on Deployment Architecture. 04-23-2018 09:44 AM
- Tagged How do I trim field names in a custom Add-On? on Deployment Architecture. 04-23-2018 09:44 AM
- Tagged How do I trim field names in a custom Add-On? on Deployment Architecture. 04-23-2018 09:44 AM
- Posted Re: Guide for creating Add-ons to deploy to (Universal)Forwarders? on Getting Data In. 02-27-2018 07:34 AM
- Posted Re: Guide for creating Add-ons to deploy to (Universal)Forwarders? on Getting Data In. 02-26-2018 03:19 PM
- Posted Guide for creating Add-ons to deploy to (Universal)Forwarders? on Getting Data In. 02-26-2018 02:57 PM
- Tagged Guide for creating Add-ons to deploy to (Universal)Forwarders? on Getting Data In. 02-26-2018 02:57 PM
- Tagged Guide for creating Add-ons to deploy to (Universal)Forwarders? on Getting Data In. 02-26-2018 02:57 PM
- Tagged Guide for creating Add-ons to deploy to (Universal)Forwarders? on Getting Data In. 02-26-2018 02:57 PM
- Posted Re: "Bad regex" warning after upgrading from Enterprise 6.5.1 to 7.0.1 on Installation. 02-08-2018 09:40 AM
- Posted Re: "Bad regex" warning after upgrading from Enterprise 6.5.1 to 7.0.1 on Installation. 02-08-2018 09:14 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 1 |
04-23-2018
09:47 AM
To clarify, this is an Add-On that gets pushed to workstations, i.e. all machines with the UniversalForwarder installed. The props.conf file would be the one included in the Add-On, not the UniversalForwarder props.conf or server-sided props.conf. I'm trying to package everything into the Add-On to make it as convenient as possible.
... View more
04-23-2018
09:44 AM
I've created an Add-On for my workplace that collects the serial numbers of motherboards and local drives. I've constructed the scripts to send this information back in a key=value format. Everything works great as data is fed back to the indexing server from the Universal Forwarder and I can search for the data without issues. Now, I'd like to trim the field names from showing up in the search results, but I'd like to program that into the Add-On.
For example, local drive serial numbers are saved as the sourcetype diskserial and motherboard serial numbers as systemserial . So if I search for either of these, ex. sourcetype=diskserial , the results show up as:
diskserial | host
====================|==============
diskserial=abc12345 | foo.local.com
diskserial=def67890 | bar.local.com
I'd like for the diskserial= to be automagically trimmed off. This would make the output much cleaner and make report generation much easier for our admins. My understanding is that I have to include some kind of Regex in the props.conf file, but I'm not sure how that's supposed to work.
... View more
02-27-2018
07:34 AM
Works like a charm! Thank you so much!
... View more
02-26-2018
03:19 PM
I would just save this under $SPLUNK_HOME/etc/deployment-apps/$NewAppName ? Does it need anything else (i.e. metadata or default folders)?
... View more
02-26-2018
02:57 PM
Our department needs to collect the serial numbers of all physical drives connected to all machines within our network. Since there are over 1000 hosts, we would like to be able to collect this information within Splunk on a fixed interval. Since the Splunk Add-On for Windows and Splunk Add-On for *nix doesn't contain this information, I've developed a Python script that can collect this for us. (A Powershell version for Windows will have to be developed.)
I've reviewed the documentation for Scripted Inputs but this appears to be a manual process for each host. The Add-on Builder also appears to be limited to just Splunk servers. I cannot, for the life of me, find a guide on how to create Add-ons for deployment with UniversalForwarders. I've even tried to review the Windows and *nix Add-Ons but they're very complex.
Can someone point me to any official documentation for creating Add-Ons that are compatible with UniversalForwarders, or to blog posts or any other kind of reference?
... View more
02-08-2018
09:40 AM
That's a code block/snippet. You'll want to encapsulate the text with backticks ( ). Perhaps you could use two backslashes instead, ex. [\S\-\S]`. As a test: [\S\-\S]
... View more
02-08-2018
09:14 AM
You mean change [\S-\S] to [\S\-\S] ?
... View more
01-29-2018
06:59 AM
Just tried to escape the underscores to no avail. Some of the strings don't have them in a range (see line 6), however they all seem to contain [\S-\S] . I've never seen this used before in Regex and question what it's suppose to match (range of non-whitespace to non-whitespace??)
... View more
01-29-2018
06:45 AM
Thanks for that! Using the first command, it appears that these are coming from ms_windows_ad_objects/default/props.conf. I'll copy the file to the local folder and modify it there for testing.
... View more
01-18-2018
04:01 PM
1 Karma
After upgrading Splunk on a test server from 6.5.1 to 7.0.1, we receive the following message when starting Splunk:
01-18-2018 17:22:55.079 WARN btool-support - Bad regex value: '(?msi)(Account\s+Domain\:.*?(Account\s+Domain\:)|Account\s+Domain\:)(?!\s+(\r|\n))\s+(?<dest_nt_domain>[a-zA-Z0-9._[\S-\S][^\r|\n]+)', of param: props.conf / [WinEventLog:Security] / EXTRACT-ms_ad_obj_dest_nt_domain_Account_Domain; why: invalid range in character class
01-18-2018 17:22:55.079 WARN btool-support - Bad regex value: '(?msi)(Group\s+Domain\:.*?(Group\s+Domain\:)|Group\s+Domain\:)(?!\s+(\r|\n))\s+(?<dest_nt_domain>[a-zA-Z0-9._[\S-\S][^\r|\n]+)', of param: props.conf / [WinEventLog:Security] / EXTRACT-ms_ad_obj_dest_nt_domain_Group_Domain; why: invalid range in character class
01-18-2018 17:22:55.083 WARN btool-support - Bad regex value: '(?msi)Group\:(\s|\r|\n)(.*?Group\sName\:\s+(?<group_name>[\S-\S][^(\r|\n)]+)(\r|\n))(.*?Group\sDomain\:\s+(?<group_domain>[\S-\S][^(\r|\n)]+)(\r|\n))', of param: props.conf / [WinEventLog:Security] / EXTRACT-ms_ad_obj_group_name_domain; why: invalid range in character class
01-18-2018 17:22:55.083 WARN btool-support - Bad regex value: '(?msi)Member\:(\s|\r|\n)(.*?Account\sName\:\s+(?<member_dn>[\S-\S][^(\r|\n)]+)(\r|\n))', of param: props.conf / [WinEventLog:Security] / EXTRACT-ms_ad_obj_member_dn_Account_Name; why: invalid range in character class
01-18-2018 17:22:55.083 WARN btool-support - Bad regex value: '(?msi)(New\sGroup\:|Group\:)(\s|\r|\n)(.*?Security ID:(\s+(?<group_domain>[^\x5C{1}]+)\x5C{1}|\s+)(?<group_id>[\S-\S][^(\r|\n)]+)(\r|\n))', of param: props.conf / [WinEventLog:Security] / EXTRACT-ms_ad_obj_member_group_name_id_domain; why: invalid range in character class
01-18-2018 17:22:55.083 WARN btool-support - Bad regex value: '(?msi)Member\:(\s|\r|\n)(.*?Security ID:(\s+(?<member_domain>[^\x5C{1}]+)\x5C{1}|\s+)(?<member_id>[\S-\S][^(\r|\n)]+)(\r|\n))', of param: props.conf / [WinEventLog:Security] / EXTRACT-ms_ad_obj_member_id_member_domain_Security_ID; why: invalid range in character class
01-18-2018 17:22:55.086 WARN btool-support - Bad regex value: '(?msi)(Logon\s+ID\:.*?(Logon\s+ID\:)|Logon\s+ID\:)(?!\s+(\r|\n))\s+(?<session_id>[a-zA-Z0-9._[\S-\S][^\r|\n]+)', of param: props.conf / [WinEventLog:Security] / EXTRACT-ms_ad_obj_session_id; why: invalid range in character class
01-18-2018 17:22:55.087 WARN btool-support - Bad regex value: '(?msi)(?:Account\s+Domain\:(?!\s+(\r|\n))\s+(?<src_nt_domain>[a-zA-Z0-9._[\S-\S][^\r|\n]+))', of param: props.conf / [WinEventLog:Security] / EXTRACT-ms_ad_obj_src_nt_domain_Account_Domain; why: invalid range in character class
01-18-2018 17:22:55.087 WARN btool-support - Bad regex value: '(?msi)(?:Account\s+Name\:(?!\s+(\r|\n))\s+(?<src_user>[a-zA-Z0-9._[\S-\S][^\r|\n]+))', of param: props.conf / [WinEventLog:Security] / EXTRACT-ms_ad_obj_src_user_Account_Name; why: invalid range in character class
01-18-2018 17:22:55.087 WARN btool-support - Bad regex value: '(?msi)(Account\s+Name\:.*?(Account\s+Name\:)|Account\s+Name\:)(?!\s+(\r|\n))\s+(?<user>[a-zA-Z0-9._[\S-\S][^\r|\n]+)', of param: props.conf / [WinEventLog:Security] / EXTRACT-ms_ad_obj_user_Account_Name; why: invalid range in character class
This does not prevent Splunk from running, however we're concerned about any potential impact on parsing logs.
If it helps, we have the following add-ons installed:
Splunk Add-On for Windows Infrastructure 1.4.1
Splunk Add-On for Microsoft Windows 4.8.4
Splunk Add-On for Microsoft Active Directory 1.0.0
Splunk Add-On for Microsoft Windows DNS 1.0.1
MS Windows AD Objects 3.1.1
When I run a grep "WinEventLog:Security" /opt/splunk/etc/apps/*/default/* I cannot find any matches in a props.conf file, so I'm a little confused as to where this is being found.
Any suggestions?
... View more
