×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
mbasharat
Builder
Member since: ‎01-10-2018
2 weeks ago
Community Statistics
Posts 254
Solutions 4
Karma Given 13
Karma Received 17
Member Since ‎01-10-2018
Activity Feed
Topics I've Started
View All

Re: Need to see data for the months with no events...

by in Splunk Search
2 weeks ago
2 weeks ago
Below is one sanitized raw test event: 2025-03-18 13:03:07.000, ID="484294162", Documentable="No", System="A1234", Group="GSS-27", Environment="3 TEST", Datasource="abcd.test.com", DBMSProduct="MS SQL SERVER", FindingType="Pass", SeverityCode="2 HIGH", SeverityScore="8.0", TestID="0000", TestName="SQL Server must generate audit records when unsuccessful attempts to modify categorized information occur.", TestDescription="Changes in categories of information must be tracked. Without an audit trail, unauthorized access to protected data could go undetected. To aid in diagnosis, it is necessary to keep track of failed attempts in addition to the successful ones. For detailed information on categorizing information, refer to FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems, and FIPS Publication 200, Minimum Security Requirements for Federal Information and Information Systems. If auditing the modification of data classifications is not required, this is not applicable.", FindingDescription="Auditing unsuccessful attempts to modify categorized information is set up correctly.", TestResultID="123456789101112131415", RemediationRule="1", RemediationAssignment="N/A", RemediationAnalysis="This test passed. No remediation necessary.", RemediationGuidance="No action required.", ExternalReference="STIG_Reference - SQL6-D0-014000 : STIG_SRG - SRG-APP-000498-DB-000347", VersionLevel="16.0", PatchLevel="0000", Reference="Sample14", VulnerabilityType="CONF", ScanTimestamp="2025-03-18 09:03:07.0000000", FirstExecution="2022-12-06 10:08:32.0000000", LastExecution="2025-03-18 09:03:35.0000000", CurrentScore="Pass", CurrentScoreSince="2022-12-06 10:08:32.0000000", CurrentScoreDays="833", AcknowledgedServiceAccount="No", SecurityAssessmentName="A1234_TEST (MS SQL SERVER)", CollectorID="testcollector", ScanYear="2025", ScanMonth="3", ScanDay="18", ScanCycle="2", Description="A1234;TEST;GSS-27", Host="12345.sample.test.com", Port="1234" ... View more

Re: Need to see data for the months with no events...

by in Splunk Search
2 weeks ago
2 weeks ago
@ITWhisperer  I made adjustments as you suggested above and getting below results. Using one system and group sample. Running search for 6 months and need to see 0 for the months with no data/events. Above adjustments give only the months with data. System Group ScanMonth ScanYear Environment TOTAL 1_LOW 2_MEDIUM 3_HIGH 4_CRITICAL A1234 GSS-27 2 2025 3_TEST 216 2 28 155 31 A1234 GSS-27 3 2025 3_TEST 430 4 56 308 62 A1234 GSS-27 2 2025 4_DEV 222 2 28 161 31 A1234 GSS-27 3 2025 4_DEV 444 4 56 322 62   Needed: System Group ScanMonth ScanYear Environment TOTAL 1_LOW 2_MEDIUM 3_HIGH 4_CRITICAL A6020B GSS-27 1 2025 3_TEST 0 0 0 0 0 A6020B GSS-27 2 2025 3_TEST 216 2 28 155 31 A6020B GSS-27 3 2025 3_TEST 430 4 56 308 62 A6020B GSS-27 1 2025 4_DEV 0 0 0 0 0 A6020B GSS-27 2 2025 4_DEV 222 2 28 161 31 A6020B GSS-27 3 2025 4_DEV 444 4 56 322 62 A6020B GSS-27 10 2024 3_TEST 0 0 0 0 0 A6020B GSS-27 11 2025 3_TEST 0 0 0 0 0 A6020B GSS-27 12 2026 3_TEST 0 0 0 0 0 A6020B GSS-27 10 2027 4_DEV 0 0 0 0 0 A6020B GSS-27 11 2028 4_DEV 0 0 0 0 0 A6020B GSS-27 12 2029 4_DEV 0 0 0 0 0 ... View more

Need to see data for the months with no events as ...

by in Splunk Search
2 weeks ago
2 weeks ago
Hi all, I have a situation. Below is my search. Search needs to produce past 6 months of report. The goal is to produce ZEROs for the months with no events. However, below search is producing results with ZEROs for the whole year instead of just 6 months. How to make it do only for 6 months? Thank you! Search: index=sample_index sourcetype=sample_sourcetype AcknowledgedServiceAccount="No" System="ABC" | eval ScanMonth_Translate=case( ScanMonth="1","January", ScanMonth="2","February", ScanMonth="3","March", ScanMonth="4","April", ScanMonth="5","May", ScanMonth="6","June", ScanMonth="7","July", ScanMonth="8","August", ScanMonth="9","September", ScanMonth="10","October", ScanMonth="11","November", ScanMonth="12","December") | fields ID, System, GSS, RemediationAssignment, Environment, SeverityCode, ScanYear, ScanMonth | fillnull value="NULL" ID, System, GSS, RemediationAssignment, Environment, SeverityCode, ScanYear, ScanMonth | foreach System Group Environment ScanMonth, ScanYear, SeverityCode [| eval <<FIELD>> = split(<<FIELD>>, "\n") | eval <<FIELD>> = split(<<FIELD>>, "\n") | eval <<FIELD>> = split(<<FIELD>>, "\n") | eval <<FIELD>> = split(<<FIELD>>, "\n") | eval <<FIELD>> = split(<<FIELD>>, "\n") | eval <<FIELD>> = split(<<FIELD>>, "\n") ] | stats count AS Total_Vulnerabilities BY ScanMonth, ScanYear, System, Group, Environment, SeverityCode | fields System, Group, ScanMonth, ScanYear, Environment, SeverityCode, Total_Vulnerabilities | stats values(eval(if(SeverityCode="1 CRITICAL",Total_Vulnerabilities, null()))) as "4_CRITICAL" values(eval(if(SeverityCode="2 HIGH",Total_Vulnerabilities, null()))) as "3_HIGH" values(eval(if(SeverityCode="3 MEDIUM",Total_Vulnerabilities, null()))) AS "2_MEDIUM" values(eval(if(SeverityCode="4 LOW",Total_Vulnerabilities, null()))) as "1_LOW" sum(Total_Vulnerabilities) AS TOTAL by System, Group, ScanMonth, ScanYear, Environment | fillnull value="0" 4_CRITICAL, 3_HIGH, 2_MEDIUM, 1_LOW | fields System, Group, Environment, ScanMonth, ScanYear, 4_CRITICAL, 3_HIGH, 2_MEDIUM, 1_LOW, TOTAL | replace "*PROD*" WITH "1_PROD" IN Environment | replace "*DR*" WITH "2_DR" IN Environment | replace "*TEST*" WITH "3_TEST" IN Environment | replace "*DEV*" WITH "4_DEV" IN Environment | sort 0 + System, GSS, Environment, ScanMonth, ScanYear | append [| makeresults | eval ScanMonth="1,2,3,4,5,6,7,8,9,10,11,12" | eval 4_CRITICAL="0" | eval 3_HIGH="0" | eval 2_MEDIUM="0" | eval 1_LOW="0" | eval TOTAL="0" | makemv delim="," ScanMonth | stats count by ScanMonth, 4_CRITICAL, 3_HIGH, 2_MEDIUM, 1_LOW, TOTAL | fields - count ] | fillnull value="0" 4_CRITICAL, 3_HIGH, 2_MEDIUM, 1_LOW, TOTAL | filldown | stats sum(TOTAL) AS TOTAL sum(1_LOW) AS 1_LOW sum(2_MEDIUM) AS 2_MEDIUM sum(3_HIGH) AS 3_HIGH sum(4_CRITICAL) AS 4_CRITICAL by System, Group, ScanMonth, ScanYear, Environment | sort 0 + System, Group, Environment, ScanMonth, ScanYear Output: System Group ScanMonth ScanYear Environment TOTAL 1_LOW 2_MEDIUM 3_HIGH 4_CRITICAL A1234 GSS-27 2 2025 3_TEST 216 2 28 155 31 A1234 GSS-27 3 2025 3_TEST 430 4 56 308 62 A1234 GSS-27 1 2025 4_DEV 0 0 0 0 0 A1234 GSS-27 2 2025 4_DEV 222 2 28 161 31 A1234 GSS-27 3 2025 4_DEV 444 4 56 322 62 A1234 GSS-27 4 2025 4_DEV 0 0 0 0 0 A1234 GSS-27 5 2025 4_DEV 0 0 0 0 0 A1234 GSS-27 6 2025 4_DEV 0 0 0 0 0 A1234 GSS-27 7 2025 4_DEV 0 0 0 0 0 A1234 GSS-27 8 2025 4_DEV 0 0 0 0 0 A1234 GSS-27 9 2025 4_DEV 0 0 0 0 0 A1234 GSS-27 10 2025 4_DEV 0 0 0 0 0 A1234 GSS-27 11 2025 4_DEV 0 0 0 0 0 A1234 GSS-27 12 2025 4_DEV 0 0 0 0 0 Desired Output: System Group ScanMonth ScanYear Environment TOTAL 1_LOW 2_MEDIUM 3_HIGH 4_CRITICAL A1234 GSS-27 1 2025 3_TEST 0 0 0 0 0 A1234 GSS-27 2 2025 3_TEST 221 3 4 214 0 A1234 GSS-27 3 2025 3_TEST 430 4 56 308 62 A1234 GSS-27 10 2024 3_TEST 0 0 0 0 0 A1234 GSS-27 11 2024 3_TEST 0 0 0 0 0 A1234 GSS-27 12 2024 3_TEST 5 1 2 0 2 A1234 GSS-27 1 2025 4_DEV 10 5 2 2 1 A1234 GSS-27 2 2025 4_DEV 0 0 0 0 0 A1234 GSS-27 3 2025 4_DEV 0 0 0 0 0 A1234 GSS-27 10 2024 4_DEV 12 4 3 2 3 A1234 GSS-27 11 2024 4_DEV 20 10 5 2 3 A1234 GSS-27 12 2024 4_DEV 0 0 0 0 0 ... View more
Labels

Re: JSON extraction needed

by in Splunk Search
‎02-18-2025 02:35 PM
‎02-18-2025 02:35 PM
Thank you @livehybrid !!!!! I knew I was dosing off at the end of the day.... LOL ... View more

JSON extraction needed

by in Splunk Search
‎02-18-2025 01:34 PM
‎02-18-2025 01:34 PM
Hi. I have below raw event/s. Highlighted Syntax: { [-]    body: {"isolation": "isolation","device_classification": "Network Access Control","ip": "1.2.3.4", "mac": "Unknown","dns_hn": "XYZ","policy": "TEST_BLOCK","network_fn": "CounterACT Device","os_fingerprint": "CounterACT Appliance","nic_vendor": "Unknown Vendor","ipv6": "Unknown",}    ctupdate: notif    eventTimestamp: 1739913406    ip: 1.2.3.4    tenant_id: CounterACT__sample } Raw Text: {"tenant_id":"CounterACT__sample","body":"{\"isolation\": \"isolation\",\"device_classification\": \"Network Access Control\",\"ip\": \"1.2.3.4\", \"mac\": \"Unknown\",\"dns_hn\": \"XYZ\",\"policy\": \"TEST_BLOCK\",\"network_fn\": \"CounterACT Device\",\"os_fingerprint\": \"CounterACT Appliance\",\"nic_vendor\": \"Unknown Vendor\",\"ipv6\": \"Unknown\",}","ctupdate":"notif","ip":"1.2.3.4","eventTimestamp":"1739913406"} I need below fields=value extracted from each event at search time. It is a very small dataset: isolation=isolation policy=TEST_BLOCK ctupdate=notif ip=1.2.3.4 ipv6=Unknown mac=Unknown dns_hn=XYZ eventTimestamp=1739913406 Thank you in advance!!! ... View more
Labels

Re: Lookup definition is outputting incomplete res...

by in Splunk Search
‎11-20-2024 07:25 AM
‎11-20-2024 07:25 AM
@dural_yyz yes, field names are kept different. ... View more

Lookup definition is outputting incomplete results

by in Splunk Search
‎11-20-2024 06:23 AM
‎11-20-2024 06:23 AM
Hi, I have a simple search which is using a lookup definition based off of a lookup. This lookup is large. Search has been using this lookup perfectly fine outputting correct results. Since upgrade to below version of Splunk Enterprise, this output is not happening like it used to. Matched output is significantly reduced resulting in NULL values for many fields even though lookup is complete and has no issues. I am wondering what has changed that is causing this in below version and how to remediate it? Splunk Enterprise Version: 9.3.1 Build: 0b8d769cb912 index=A sourcetype=B | stats count by XYZ | lookup ABC XYZ as XYZ OUTPUT FieldA, FieldB ... View more
Labels

Re: How to compare and calculate comparison flag f...

by in Splunk Search
‎04-11-2024 07:54 AM
1 Karma
‎04-11-2024 07:54 AM
1 Karma
Thanks @richgalloway!! ... View more

How to compare and calculate comparison flag for t...

by in Splunk Search
‎04-10-2024 04:57 PM
‎04-10-2024 04:57 PM
Hi,  I have below scenario. My brain is very slow at this time of the day! I need an eval to create Status field as in the table below that will flag a host if it is running on IPv4 OR IPv6 OR both IPv4 +IPv6.  HOSTNAME IPv4 IPv6 Status SampleA 0.0.0.1   IPv4 SampleB   0.0.0.2 IPv6 SampleC 0.0.0.3 A:B:C:D:E:F IPv4 + IPv6 Thanks in-advance!!! ... View more
Labels

Re: Field extraction needed

by in Splunk Search
‎07-20-2023 09:20 AM
‎07-20-2023 09:20 AM
Hi @ITWhisperer  Patience is a virtue and tolerance is the by product of it including many other things. Specially when the trunk has a sticker "Student driver"! 😁 Btw, I did explain everything well, however @yuanliu added a little more clarity with mentioning (1) and (2). Appreciate ya' all as always!!! Don't lose patience 😋😜 ... View more

Re: Field extraction needed

by in Splunk Search
‎07-20-2023 09:16 AM
‎07-20-2023 09:16 AM
Hi @yuanliu This was it! It worked per your solution. Thank you!!!😊 ... View more

Re: Field extraction needed

by in Splunk Search
‎07-17-2023 10:08 AM
‎07-17-2023 10:08 AM
Hi yuanliu, I did try that. See my notes in parenthesis. I will try to explain again. namespace      imageName c-esm-sat        c-ecm-dev/das-dynamic-filter-services/sample                               (there is no space nor any delimiter between the 1st value at the top and the 2nd one below)                                c-ecm-sat/irtf-das-service Final results need to be: namespace                      Environment        imageName c-esm-sat                        c-ecm-dev            /das-dynamic-filter-services c-esm-sat                        c-ecm-dev            /sample c-esm-sat                        c-ecm-sat             /irtf-das-service ... View more

Re: Field extraction needed

by in Splunk Search
‎07-16-2023 07:33 AM
‎07-16-2023 07:33 AM
Hi yuanlu,   Yes it does. See below from Event #3: imageName="raas/jggmb/graph-analysis" Which is actually needed as below since there can be multiple imageName in each namespace separated by /: namespace    imageName NULL                        raas NULL                        iggmb NULL                        graph-analysis The challenge is not the /, it is that imageName can be multivalued field as below which I had mentioned in the very first post sample. The issue is the mv because there is no  delimiter between the first and second value of mv as shown below: namespace                      imageName c-esm-sat                        c-ecm-dev/das-dynamic-filter-services/sample                                               c-ecm-sat/irtf-das-service And this needs to be first extracted as below: namespace                      imageName c-esm-sat                        c-ecm-dev/das-dynamic-filter-services/sample c-esm-sat                        c-ecm-sat/irtf-das-service And final results are to be: namespace                      Environment        imageName c-esm-sat                        c-ecm-dev            /das-dynamic-filter-services c-esm-sat                        c-ecm-dev            /sample c-esm-sat                        c-ecm-sat             /irtf-das-service Also, the first group is the Environment as I highlighted in red above. I am not worried about Environment because if I can have the value 1 and value 2 separated, It can them delimit Environment easily. I hope I explained better this time. ... View more

Re: Field extraction needed

by in Splunk Search
‎07-15-2023 04:16 PM
‎07-15-2023 04:16 PM
Hi folks, See below 4 samples. Field names are namespace and imageName in the events. Much appreciated!!! 07/14/2023 23:37:50 +0000, search_name="Sample", search_now=1689379860.000, info_min_time=1686787200.000, info_max_time=1689379897.133, info_search_time=1689379894.139, IP=NULL, OS=NULL, DNS=NULL, GSS=NULL, qid=650035, AO=NULL, cveids="CVE-2020-14145", result="Vulnerable version of OpenSSH Detected:OpenSSH_8.2p1 Ubuntu-4ubuntu0.5, OpenSSL 1.1.1f  31 Mar 2020", imageId=45a89e408277, isDrift=false, CATEGORY=NULL, ISSO=NULL, PROJECTS=NULL, hostname="test.com", imageSha=000000000000000000000000000000, os_group=NULL, LAST_SEEN=NULL, imageName="raas/jggmb/graph-analysis", imageUuid="0000000000-000000000000-000000000", namespace=NULL, vulnTitle="OpenSSH Information Disclosure Vulnerability (Generic)", containerState=RUNNING, softwareFixVersion=NULL, PRJ_GROUP_EMAIL=NULL, Business_Group=UNASSIGNED, vulnFirstfound="2023-07-06T18:16:21Z", imageScanType=null, POC_EMAIL=NULL, cvss3TemporalScore="5.4", SYSTEMNAME=NULL, RESPONSIBILITY_CODE=NULL, vulnLastfound="2023-07-06T18:16:21Z", cvss3BaseScore="5.9", AO_EMAIL=NULL, POC_NAME=NULL, PRJ_NAME=NULL, Severity=Moderate, Environment=NULL, containerId=000000000000, EMAIL=NULL, containerSha=000000000000000000000000000000000, softwareVersion=NULL, softwareName=NULL, vulnCategory="Security Policy", vulnSolution="OpenSSH team committed a partial mitigation of this issue which is included in openssh 8.4.<BR> Refer to <A HREF='https://www.openssh.com/' TARGET='_blank'>OpenSSH 8.4</A> for details.<P>", containerCreated="2023-07-06T18:08:01Z", containerUpdated="2023-07-06T18:16:21Z"     07/15/2023 00:10:08 +0000, search_name="sample", search_now=1689379860.000, info_min_time=1686787200.000, info_max_time=1689379897.133, info_search_time=1689379894.139, IP="0.0.0.0", OS="Red Hat Enterprise Linux Server 7.9", DNS="sample.com", GSS="TestGSS", qid=199358, AO=NULL, cveids="CVE-2019-17594 CVE-2019-17595 CVE-2021-39537 CVE-2022-29458 CVE-2023-29491", result="#table cols=\"3\" Package Installed_Version Required_Version libtinfo6 6.2-0ubuntu2 6.2-0ubuntu2.1 libncurses6 6.2-0ubuntu2 6.2-0ubuntu2.1 ncurses-bin 6.2-0ubuntu2 6.2-0ubuntu2.1 ncurses-base 6.2-0ubuntu2 6.2-0ubuntu2.1 libncursesw6 6.2-0ubuntu2 6.2-0ubuntu2.1", imageId=976ed922248e, isDrift=true, CATEGORY=SERVER, ISSO=NULL, PROJECTS=NULL, hostname="test.com", imageSha=00000000000000000000000000, os_group="RHEL 7", LAST_SEEN="2023-07-14T07:32:50Z", imageName="raas/cdw-api", imageUuid="000000000000-0000000000000000-00000000000", namespace=xyz, vulnTitle="Ubuntu Security Notification for ncurses Vulnerabilities (USN-6099-1)", containerState=RUNNING, softwareFixVersion="6.2-0ubuntu2.1", PRJ_GROUP_EMAIL=NULL, Business_Group=UNASSIGNED, vulnFirstfound="2023-05-27T00:52:20Z", imageScanType=null, POC_EMAIL=NULL, cvss3TemporalScore="7.9", SYSTEMNAME=ADMIN, RESPONSIBILITY_CODE="ABC Group", vulnLastfound="2023-07-13T20:02:42Z", cvss3BaseScore="8.8", AO_EMAIL=NULL, POC_NAME=NULL, PRJ_NAME=NULL, Severity=High, Environment=NULL, containerId=00000000000, ISSO_EMAIL=NULL, containerSha=0000000000000000000000000000000000000000, softwareVersion="6.2-0ubuntu2", softwareName="libncurses6:amd64 libncursesw6:amd64 libtinfo6:amd64 ncurses-base ncurses-bin", vulnCategory=Ubuntu, vulnSolution="Refer to Ubuntu security advisory <A HREF='https://ubuntu.com/security/notices/USN-6099-1' TARGET='_blank'>USN-6099-1</A> for updates and patch information. <P>Patch:<BR> Following are links for downloading patches to fix the vulnerabilities: <P> <A HREF='https://ubuntu.com/security/notices/USN-6099-1' TARGET='_blank'>USN-6099-1:Ubuntu Linux</A>", containerCreated="2023-05-18T23:41:47Z", containerUpdated="2023-07-13T20:02:42Z"     07/14/2023 23:43:10 +0000, search_name="Sample", search_now=1689379860.000, info_min_time=1686787200.000, info_max_time=1689379897.133, info_search_time=1689379894.139, IP=NULL, OS=NULL, DNS=NULL, GSS=NULL, qid=106124, AO=NULL, cveids=NULL, result="#table cols=\"1\" End_of_Life_Node.js_version_Detected___node:_'17.8.0',_/opt/conda/envs/rapids", imageId=bd2ba01f6d48, isDrift=false, CATEGORY=NULL, ISSO=NULL, PROJECTS=NULL, hostname="sample.com", imageSha=000000000000000000000000000000000, os_group=NULL, LAST_SEEN=NULL, imageName="raas/bpa-lab/rapidsai-22.08-cuda11.4-centos7-py3.8", imageUuid="000000000000-0000000000000-0000000000000", namespace=NULL, vulnTitle="EOL/Obsolete Software: Node.js 17.x Detected", containerState=RUNNING, softwareFixVersion=NULL, PRJ_GROUP_EMAIL=NULL, Business_Group=UNASSIGNED, vulnFirstfound="2023-07-11T18:47:56Z", imageScanType=null, POC_EMAIL=NULL, cvss3TemporalScore="9.0", SYSTEMNAME=NULL, RESPONSIBILITY_CODE=NULL, vulnLastfound="2023-07-13T21:54:18Z", cvss3BaseScore="9.8", AO_EMAIL=NULL, POC_NAME=NULL, PRJ_NAME=NULL, Severity=Critical, Environment=NULL, containerId=000000000000, ISSO_EMAIL=NULL, containerSha=00000000000000000000000000, softwareVersion=NULL, softwareName=NULL, vulnCategory="Security Policy", vulnSolution=NULL, containerCreated="2023-07-11T18:37:46Z", containerUpdated="2023-07-13T21:54:18Z"     07/15/2023 12:06:38 +0000, search_name="Sample", search_now=1689423060.000, info_min_time=1686787200.000, info_max_time=1689423094.363, info_search_time=1689423092.507, IP="0.0.0.0", OS="Red Hat Enterprise Linux Server 7.9", DNS="sample.com", GSS="Test1", qid=180276, AO=NULL, cveids="CVE-2021-46663", result="#table cols=\"3\" Package Installed_Version Required_Version mariadb-common 1:10.3.18-0+deb10u1 1:10.3.36-0+deb10u2 libmariadb3 1:10.3.18-0+deb10u1 1:10.3.36-0+deb10u2", imageId=cf879a45faaa, isDrift=true, CATEGORY=SERVER, ISSO=NULL, PROJECTS=ABC, hostname="sample.com", imageSha=000000000000000000, os_group="RHEL 7", LAST_SEEN="2023-07-15T00:59:17Z", imageName=postgres, imageUuid="0000000000000000", namespace=abcd, vulnTitle="Debian Security Update for mariadb-10.5mariadb-10.3 (CVE-2021-46663)", containerState=RUNNING, softwareFixVersion="1:10.3.36-0+deb10u2", PRJ_GROUP_EMAIL=NULL, Business_Group=UNASSIGNED, vulnFirstfound="2023-01-13T22:09:56Z", imageScanType=null, POC_EMAIL=NULL, cvss3TemporalScore="5.0", SYSTEMNAME=CDW, RESPONSIBILITY_CODE="XYZ", vulnLastfound="2023-06-20T18:38:31Z", cvss3BaseScore="5.5", AO_EMAIL=NULL, POC_NAME=NULL, PRJ_NAME=NULL, Severity=Moderate, Environment=NULL, containerId=0d74dc575dfb, ISSO_EMAIL=NULL, containerSha=0000000000000000000000000000000000000000, softwareVersion="1:10.3.18-0+deb10u1", softwareName="libmariadb3:amd64 mariadb-common", vulnCategory=Debian, vulnSolution="Refer to Debian security advisory <A HREF='https://security-tracker.debian.org/tracker/CVE-2021-46663' TARGET='_blank'>CVE-2021-46663</A> for updates and patch information. <P>Patch:<BR> Following are links for downloading patches to fix the vulnerabilities: <P> <A HREF='https://security-tracker.debian.org/tracker/CVE-2021-46663' TARGET='_blank'>CVE-2021-46663:Debian</A>", containerCreated="2020-05-08T01:54:27Z", containerUpdated="2023-06-20T21:20:51Z" ... View more

Re: Field extraction needed

by in Splunk Search
‎07-14-2023 06:03 AM
‎07-14-2023 06:03 AM
Hi @gcusello See few raw samples below. Field names are imageName and namespace. I have everything coming normalized except imageName which need to be split up inparallel with namespace the way I have provided in Table B. Sample1: 07/13/2023 17:55:05 +0000, search_name="Sample", search_now=1689271860.000, info_min_time=1686614400.000, info_max_time=1689271894.612, info_search_time=1689271892.776, IP="1.2.3.4", OS="Red Hat Enterprise Linux CoreOS 4.11", DNS=sampledns1, GSS="sample1", qid=241759, AO="user1.com", cveids="CVE-2023-1667 CVE-2023-2283", result="#table cols=\"3\" Package Installed_Version Required_Version libssh-config 0.9.6-3.el8.noarch 0.9.6-10.el8__8 libssh 0.9.6-3.el8.x86__64 0.9.6-10.el8__8", imageId=05ac522d3e87, isDrift=false, CATEGORY=SERVER, ISSO="sampleisso1", PROJECTS=NULL, hostname=sampledns1, imageSha=0000000000000000000000000000000000000000, os_group=OTHER, LAST_SEEN="2023-07-12T20:18:15Z", imageName="<none>", imageUuid="0000000000000000000000", namespace="c-ecm-dev", vulnTitle="Red Hat Update for libssh (RHSA-2023:3839)", containerState=RUNNING, softwareFixVersion="0.9.6-10.el8__8", PRJ_GROUP_EMAIL="[email protected]", Business_Group=UNASSIGNED, vulnFirstfound="2023-07-13T06:35:03Z", imageScanType=null, POC_EMAIL="[email protected]", cvss3TemporalScore="5.9", SYSTEMNAME=NULL, RESPONSIBILITY_CODE="sample respcode", vulnLastfound="2023-07-13T06:35:03Z", cvss3BaseScore="6.5", AO_EMAIL="sampleemail.com", POC_NAME="sample user", PRJ_NAME=ABC, Severity=Moderate, Environment=DEV, containerId=123456789, ISSO_EMAIL="sample3.com", containerSha=000000000000000000000000000000000000000000, softwareVersion="0.9.6-3.el8", softwareName="libssh libssh-config", vulnCategory=RedHat, vulnSolution="Refer to Red Hat security advisory <A HREF='https://access.redhat.com/errata/RHSA-2023:3839' TARGET='_blank'>RHSA-2023:3839</A> for updates and patch information. <P>Patch:<BR> Following are links for downloading patches to fix the vulnerabilities: <P> <A HREF='https://access.redhat.com/errata/RHSA-2023:3839' TARGET='_blank'>RHSA-2023:3839:Red Hat Enterprise Linux</A>", containerCreated="2023-07-13T06:31:14Z", containerUpdated="2023-07-13T06:35:03Z" Sample2: 07/14/2023 11:39:39 +0000, search_name="sample", search_now=1689336660.000, info_min_time=1686700800.000, info_max_time=1689336695.166, info_search_time=1689336692.365, IP=NULL, OS=NULL, DNS=NULL, GSS=NULL, qid=500500, AO=NULL, cveids="CVE-2022-0778", result="#table cols=\"3\" Package Installed_Version Required_Version libcrypto1.1 1.1.1k-r0 1.1.1n-r0 libssl1.1 1.1.1k-r0 1.1.1n-r0", imageId=24ae535b6904, isDrift=false, CATEGORY=NULL, ISSO=NULL, PROJECTS=NULL, hostname=samplehost, imageSha=000000000000000000000000000000, os_group=NULL, LAST_SEEN=NULL, imageName="c-ecm-dev/mtrdb-integration", imageUuid="000000000-00000000000000000-000000000000000", namespace="sysdig-sdc-cli", vulnTitle="Alpine Linux Security Update for Open Secure Sockets Layer (OpenSSL)", containerState=RUNNING, softwareFixVersion="1.1.1n-r0", PRJ_GROUP_EMAIL=NULL, Business_Group=UNASSIGNED, vulnFirstfound="2023-07-09T18:18:06Z", imageScanType=null, POC_EMAIL=NULL, cvss3TemporalScore="6.7", SYSTEMNAME=NULL, RESPONSIBILITY_CODE=NULL, vulnLastfound="2023-07-09T18:18:06Z", cvss3BaseScore="7.5", AO_EMAIL=NULL, POC_NAME=NULL, PRJ_NAME=NULL, Severity=High, Environment=NULL, containerId=123456789, ISSO_EMAIL=NULL, containerSha=000000000000000000000000000000000000, softwareVersion="1.1.1k-r0", softwareName="libcrypto1.1 libssl1.1", vulnCategory="Alpine Linux", vulnSolution="Refer to Alpine Linux advisory <A HREF='https://security.alpinelinux.org/srcpkg/openssl' TARGET='_blank'>openssl</A> for updates and patch information. <P>Patch:<BR> Following are links for downloading patches to fix the vulnerabilities: <P> <A HREF='https://security.alpinelinux.org/srcpkg/openssl' TARGET='_blank'>openssl-1.1.1n-r0:Alpine Linux</A>", containerCreated="2023-07-09T18:13:48Z", containerUpdated="2023-07-09T18:18:06Z" Sample3: 07/13/2023 17:40:56 +0000, search_name="sample", search_now=1689271860.000, info_min_time=1686614400.000, info_max_time=1689271894.612, info_search_time=1689271892.776, IP="0.0.0.0", OS="Red Hat Enterprise Linux CoreOS 4.11", DNS=sampledns, GSS="samplegss", qid=241757, AO="[email protected]", cveids="CVE-2023-26604", result="#table cols=\"3\" Package Installed_Version Required_Version systemd-libs 239-68.el8__7.4.x86__64 239-74.el8__8.2", imageId=dcbb6b8e07e2, isDrift=false, CATEGORY=SERVER, ISSO="sample", PROJECTS=NULL, hostname=samplehostname, imageSha=00000000000000000000000000000000, os_group=OTHER, LAST_SEEN="2023-07-12T20:33:03Z", imageName="wi-irps-sat/ir-data-certification-sat c-ecm-dev/irtf-das-service", imageUuid="0000000000-00000000000-000000000000", namespace="c-ecm-dev", vulnTitle="Red Hat Update for systemd (RHSA-2023:3837)", containerState=RUNNING, softwareFixVersion="239-74.el8__8.2", PRJ_GROUP_EMAIL="[email protected]", Business_Group=UNASSIGNED, vulnFirstfound="2023-07-03T10:55:11Z", imageScanType="null null", POC_EMAIL="[email protected]", cvss3TemporalScore="7.0", SYSTEMNAME=NULL, RESPONSIBILITY_CODE="ENTERPRISE CONTAINER", vulnLastfound="2023-07-03T10:55:11Z", cvss3BaseScore="7.8", AO_EMAIL="[email protected]", POC_NAME="sample user", PRJ_NAME=ECM, Severity=High, Environment=DEV, containerId=1234564897, ISSO_EMAIL="[email protected]", containerSha=0000000000000000000000000000000000, softwareVersion="239-68.el8_7.4", softwareName="systemd-libs", vulnCategory=RedHat, vulnSolution="Refer to Red Hat security advisory <A HREF='https://access.redhat.com/errata/RHSA-2023:3837' TARGET='_blank'>RHSA-2023:3837</A> for updates and patch information. <P>Patch:<BR> Following are links for downloading patches to fix the vulnerabilities: <P> <A HREF='https://access.redhat.com/errata/RHSA-2023:3837' TARGET='_blank'>RHSA-2023:3837:Red Hat Enterprise Linux</A>", containerCreated="2023-07-03T10:51:50Z", containerUpdated="2023-07-03T10:55:11Z"   ... View more

Re: Field extraction needed

by in Splunk Search
‎07-14-2023 05:42 AM
‎07-14-2023 05:42 AM
Hi @VatsalJagani  I had tried it and it did not work. ... View more

How do I search field extraction for table?

by in Splunk Search
‎07-13-2023 06:31 PM
‎07-13-2023 06:31 PM
Hi, I have below scenario. Image_Name and Name_Space are being ingested with below variations in table A. Image_name is a multivalued field as shown. I tried using makemv delim but it doesnt work because there is no delimiter e.g. space between the two. I need them separated out as in table B. Thanks in advance! Table A: Image_Name Name_Space <none> c-ecm-dev/das-dynamic-filter-services c-ecm-dev <none> cs-webapps-sat NULL NULL NULL c-aoic-dev c-ecm-dev/das-dynamic-filter-services c-ecm-sat/irtf-das-service c-ecm-sat c-ecm-dev/das-dynamic-filter-services cpopen/ibm-watson-speech-catalog openshift-marketplace c-ecm-sbx/das-pay-gov-services iam-essar-aqt1/iam-essar-aqt1 NULL c-ecm-sbx/das-rendering-service sysdig cs-webapps-sbx/baldue-bwas c-ecm-dev/das-rendering-service c-ecm-dev   Table B: Image_Name Name_Space <none> c-ecm-dev c-ecm-dev/das-dynamic-filter-services c-ecm-dev <none> cs-webapps-sat NULL NULL NULL c-aoic-dev c-ecm-dev/das-dynamic-filter-services c-ecm-sat c-ecm-sat/irtf-das-service c-ecm-sat c-ecm-dev/das-dynamic-filter-services openshift-marketplace cpopen/ibm-watson-speech-catalog openshift-marketplace c-ecm-sbx/das-pay-gov-services NULL iam-essar-aqt1/iam-essar-aqt1 NULL c-ecm-sbx/das-rendering-service sysdig cs-webapps-sbx/baldue-bwas c-ecm-dev c-ecm-dev/das-rendering-service c-ecm-dev ... View more
Labels

Re: Field extraction needed

by in Splunk Search
‎06-04-2023 09:37 AM
‎06-04-2023 09:37 AM
Slight adjustment and  worked out great. Thank you @richgalloway !!! ... View more

Re: Field extraction needed

by in Splunk Search
‎05-31-2023 06:05 AM
‎05-31-2023 06:05 AM
Hi @richgalloway  Can you tell me how did you test below? Any makeresults etc. to test it via search? Thanks! ... View more

Is it possible to do a regex at search time or pre...

by in Splunk Search
‎05-30-2023 11:06 AM
‎05-30-2023 11:06 AM
Hi, I have below raw event. Data is ingested via reading logfiles from dedicated location on monitored server with UF on it. Splunk's default method is not extracting fields as I need. Some fields have nested fields within. Is it possible to do a regex at search time or preferably at index time to do this?   ### Tue Apr 11 00:00:06 CDT 2023: logChangeEventForSplunk() called ###     event.id: 00000000-d825-00000-0cd1-00000000000000     event.time.received: Tue Apr 11 00:00:06 CDT 2023     event.time.first.received: Mon Apr 10 23:56:04 CDT 2023     event.title: TESTING XYZ:CPU Load status changed from OK to Critical     event.description: null     event.state: closed     event.severity: unknown     event.receivedOnCiDowntime: false     event.etiHint: CPULoad:Bottlenecked:82.0     event.isLogOnly: false     forwarding.type: notify_and_update     event.solution: null     event.control.transferred.to.name: <none>     event.control.transferred.to.dns.name:     event.control.transferred.to.state: <none>     event.control.transferred.to.external.id:     event.duplicate_count: 0     event.external.id: urn:uuid:00000000000-d825-00000-0cd1-0000000000000     cause.external.id: null     custom attributes:         SubmitCloseKey=true         bsmc_policy_type=xml-ws     history list:         history line 1:             historyLine.timeCreated.1=2023-04-10 23:56:05.624             historyLine.messageKey.1=null             historyLine.modifiedBy.1=System             historyLine.headline.1=null         history line 2:             historyLine.timeCreated.2=2023-04-10 23:56:05.83             historyLine.messageKey.2=null             historyLine.modifiedBy.2=System             historyLine.headline.2=null         history line 3:             historyLine.timeCreated.3=2023-04-11 00:00:06.336             historyLine.messageKey.3=historylines.component.closing.related.events             historyLine.modifiedBy.3=System             historyLine.headline.3=Closing Related Events     Related CI: 0000000000000000000000000         lic_operational2advanced=false         root_candidatefordeletetime=Sun Apr 30 12:22:50 CDT 2023         data_operationisnew=false         lic_type_basic=false         lic_type_asset=false         lic_type_udf=false         type=nt         root_class=nt         lic_type_udi=false         TenantsUses=System Default Tenant         display_label=XYZMACHINE         data_operationstate=0:Normal         host_key=0.0.0.0 DefaultDomain         lic_type_premium=false         monitored_by=XYZ.ABC.com         data_allow_auto_discovery=true         root_actualdeletetime=Sat May 20 12:22:50 CDT 2023         data_teststate=0:Normal         id=0000000000000000000000         type_label=Windows         project=ABC         default_gateway_ip_address_type=IPv4         data_changecorrstate=0:No Change         last_modified_time=Thu Apr 06 15:05:46 CDT 2023         create_time=Thu Jan 26 12:56:33 CST 2023         TenantOwner=System Default Tenant         data_changestate=0:No Change         primary_dns_name=XYZ.ABC.com         contextmenu=itCIs         global_id=00000000000000000000000000         lic_type_management=false         data_testisnew=false         root_lastaccesstime=Mon Apr 10 12:22:50 CDT 2023         lic_type_operational=false         root_iscandidatefordeletion=false         data_source=XYZ: SAMPLE         data_changeisnew=false         data_testcorrstate=0:Normal         track_changes=false         host_iscomplete=true         name=AAAAAAAAAAAAAAAAAAA         data_operationcorrstate=0:Normal         is_save_persistency=false         data_adminstate=0:Managed                                                                                                                                                lic_type_full=false         root_enableageing=true         data_updated_by=XYZ : ABC ### Tue Apr 11 00:00:06 CDT 2023: logChangeEventForSplunk() finished ### ... View more
Labels

Re: Field extraction help needed- Some fields are ...

by in Splunk Enterprise
‎07-01-2022 05:46 AM
‎07-01-2022 05:46 AM
Hi @ ITWhisperer, I did below before your response and it is working. Did I do this correctly or should I use your version of rex? | rex "FindingDetails=\"(?<FindingDetailsE>[^,]*)\"" | rex "FindingDescription=\"(?<FindingDescriptionE>[^,]*)\"" ... View more

Field extraction help needed: Why are some fields ...

by in Splunk Enterprise
‎06-30-2022 08:41 AM
‎06-30-2022 08:41 AM
Hi, I have below sample event. All field values are getting extracted fine using Splunk's auto extraction. However, some fields are not getting extracted correctly and they get extracted partially. These fields are FindingDetails and FindingDescription highlighted below. How can I get auto extraction in place to extract them all using rex OR how can I extract only these two fields at search time with two separate regexes? All fields are seperated by comma in raw event below and all values are encapsulated in double quotes. Feed is setup via DBConnect running SQL against a DB table and data gets in as is. Splunk Enterprise is @ 8.x. Thanks in advance!!   2022-06-21 10:29:05.000, ID="1234567890", System="SAMPLE", GSystem="SAMPLE", Environment="1 PROD", Datasource="SAMPLE", DBMSProduct="ORACLE", FindingType="Fail", SeverityCode="2 HIGH", SeverityScore="8.0", TestID="1234", TestName="SAMPLE", TestDescription="Application users privileges should be restricted to assignments using application user roles. Granting permissions to accounts is error prone and repetitive. Using roles allows for group management of privileges assigned by function and reduces the likelihood of wrongfully assigned privileges. We recommend assigning permissions to roles and then grant the roles to accounts. This test excludes grantees from a predefined Guardium group called "Oracle exclude default system grantees", APEX_%, ANONYMOUS and PUBLIC grantees. It also excludes grantees for tables SAMPLE and SAMPLE, excludes the DBMS_REPCAT_INTERNAL_PACKAGE table and table name like '%RP'. To exclude certain grantees, you can create an exception group, populate it with authorized grantees and link your group to this test.", FindingDescription="Application users privileges are not restricted to assignments using application user roles. Including 205 items present in test detail exceptions.", FindingDetails="The following users have direct privileges on the tables: Grantee = SAMPLE : Privilege = DELETE : Owner = SAMPLE: Object_name = SAMPLE", TestResultID="123456789", RemediationRule="295", RemediationAssignment="TEST", RemediationAnalysis="Finding passes in the Baseline Configuration. Project needs to initiate tickets in coordination with their DBA to remediate. Specifically a Role needs to be created and the permission flagged in this test added to the role, the user should then be granted to the role and the original permission removed from the user. This is a finding even if documented in the XYZ.", RemediationGuidance="Application users privileges should be restricted to assignments using application user roles. We recommend revoking privileges assigned directly to database accounts and assigning them to roles based on job functions. You can use the following command to revoke privileges: revoke <privilege> on <object name> from <user name>; To exclude certain grantees, you can create an exception group, populate it with authorized grantees and link your group to this test.", ExternalReference="STIG_Reference : STIG_SRG", VersionLevel="19", PatchLevel="19.15.0.0.0", Reference="123", VulnerabilityType="PRIV", ScanTimestamp="2022-06-21 06:29:05.0000000", FirstExecution="2022-01-04 06:38:25.0000000", LastExecution="2022-06-21 06:29:56.0000000", CurrentScore="Fail", CurrentScoreSince="2022-01-04 06:38:25.0000000", CurrentScoreDays="168", Account="TEST", AcknowledgedServiceAccount="Yes", SecurityAssessmentName="TEST", CollectorID="123456789045444444", ScanYear="2022", ScanMonth="6", ScanDay="21", ScanCycle="2", Description="TEST", Host="abcdef.sample.net", Port="0000", ServiceName="SAMPLE"   ... View more

Re: Field extraction needed

by in Splunk Enterprise
‎05-17-2022 08:24 AM
‎05-17-2022 08:24 AM
@VatsalJagani  How have you tested your provided regex in splunk search? I see a slight tweak in yours vs mine. Mine is out there in production so I need to be definitive so please provide test search you have used. Also, can it be search time extraction and if yes then how? Thanks in advance!!! ... View more

Re: Field extraction needed

by in Splunk Enterprise
‎05-14-2022 10:07 AM
‎05-14-2022 10:07 AM
Hi @richgalloway, When I had ingested original dataset, I had used key value pairs to extract a lot of information per requirements and that has been working flawlessly until new requirements came to extract this information.   The rex for field transformation I have been using for this dataset that works as needed is: (\r|\n)*(?<_KEY_1>[^:]+):(?<_VAL_1>[^\r\n]+) Automatically clean field names option is enabled. Thanks! ... View more

What is the best approach to this field extraction...

by in Splunk Enterprise
‎05-14-2022 07:10 AM
‎05-14-2022 07:10 AM
Hi, I have a field name Details. This field contains a lot of information in varying format. e.g. software installed on endpoints, updates installed etc. I need to extract this information from this field. Sample is below. What is the best approach? I need both from configuring field extraction for this in configs or in actual Splunk search using rex or eval. Fields to be extracted: Path Version/Installed Version: Both need to be extracted in a way that *Version* is used to cover variations. Method/Detection Method: Both need to be extracted in a way that *Method* is used to cover variations. Variation 1: <plugin_output> Path : /opt/AdoptOpenJRE/jdk8u332-b09-jre/ Version : 1.8.0_332 Binary Location : /opt/AdoptOpenJRE/jdk8u332-b09-jre/bin/java Details : This Java install appears to be Java Runtime Environment, since "jre" was found in the installation path and javac was not found (medium confidence). This Java install may be Oracle Java or OpenJDK Java due to "org.openjdk.java.util" in the binary (low confidence). Detection Method : "find" utility </plugin_output> Variation 2: <plugin_output> Path : /HP/hpoa/CADE2/HP/nonOV/openadaptor/1_6_5/classes/oa_jdk14_classes.jar Version : 1.1.0 JMSAppender.class association : Found JdbcAppender.class association : Found JndiLookup.class association : Not Found Method : MANIFEST.MF dependency </plugin_output> Variation 3: <plugin_output> Path : /opt/IBM/WebSphere855/AppServer/java_1.7_64/ Installed version : 7.0 Fixed version : 7.0.11.5 Path : /opt/IBM/WebSphere855/AppServer.old/java_1.7_64/ Installed version : 7.0 Fixed version : 7.0.11.5 Path : /opt/IBM/WebSphere855/AppServer.gagan/java_1.7_64/ Installed version : 7.0 Fixed version : 7.0.11.5 Path : /opt/IBM/InstallationManager/eclipse/jre_7.0.100001.20170309_1301/ Installed version : 7.0 Fixed version : 7.0.11.5 </plugin_output> Thanks in-advance!! ... View more
Contact Me
Online Status
Offline
Date Last Visited
2 weeks ago
OSZAR »