Splunk Add-on for Microsoft Windows: How to modify...

rmsit · ‎06-25-2016

Hi all,

I would like to modify the \apps\Splunk_TA_windows\bin\win_listening_ports.bat script so that the netstat -anb command outputs the -b switch that shows the process executable. How do I do this? Any help would be greatly appreciated.

James

jkat54 · ‎06-28-2016

If you look at the results of the netstat -anb command you'll see it looks like this:

  Proto  Local Address          Foreign Address        State
  TCP    127.0.0.1:8000         user-PC:64088          ESTABLISHED
 [splunkd.exe]
  TCP    127.0.0.1:8089         user-PC:64486          TIME_WAIT
  TCP    127.0.0.1:8089         user-PC:64489          TIME_WAIT
  TCP    127.0.0.1:8089         user-PC:64490          TIME_WAIT
  TCP    127.0.0.1:8089         user-PC:64491          TIME_WAIT
  TCP    127.0.0.1:8191         user-PC:49710          ESTABLISHED
 [mongod.exe]
  TCP    127.0.0.1:8191         user-PC:50059          ESTABLISHED

Transforming that so that splunkd.exe is associated with the lines above it will require some line merging and maybe a must break after "]".

So your first step is simply modifying the script by changing line 19 to this:

 for /f "tokens=*" %%G in ('netstat -naob') do (call :output_ports "%%G")

We have to remove the | findstr /r "LISTENING" so that it will show lines above and below the lines that match "LISTENING".

At this point you can use SHOULD_LINEMERGE = True, and MUST_BREAK_AFTER = ]\n\r and EXTRACT-process = [(?.*)] in your props.conf. You'll probably want to remove the column headers too with SEDCMD-removeHeaders = s/Proto.*//g

rmsit · ‎06-29-2016

Should I apply these changes to my global props.conf under \etc\local? Will the changes impact other applications.

rmsit · ‎06-29-2016

Thank you! I will try this.

Splunk Add-on for Microsoft Windows: How to modify the Windows Listening Ports script?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life