- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to get a regex setup to tell me whether a sess...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As @richgalloway said... use the app... Specifically the tech addon for Palo Alto: https://splunkbase.splunk.com/app/2757/
The field to determine if you decrypted a session is part of a bit wise field: https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Determine-if-Session-was-Decrypted-B...
This means, that while you may be able to use a regex to extract the flag field itself, you're not going to be able to use a regex to interpret the flag to determine if the session was decrypted or not. Instead you'll need bit arithmetic.
If we look at the transforms.conf of the tech addon, you'll see that they use delimiter based extractions instead of regular expressions to extract the field as session_flags. They then in the props.conf use some math to convert the single session_flags field into a multi-valued flags field... this is EVAL-flags in props.conf in the TA.
The flag you're asking about in particular:
if(floor(tonumber(session_flags,16) / pow(2, 24))%2==0,null(),"decrypted")
EDIT: And thanks to this answer by @martin_mueller I realize there's a bug in that line in the TA, and we need to add a %2 into it... so updated.
And issue logged with the TA: https://github.com/PaloAltoNetworks/Splunk_TA_paloalto/issues/17
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As @richgalloway said... use the app... Specifically the tech addon for Palo Alto: https://splunkbase.splunk.com/app/2757/
The field to determine if you decrypted a session is part of a bit wise field: https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Determine-if-Session-was-Decrypted-B...
This means, that while you may be able to use a regex to extract the flag field itself, you're not going to be able to use a regex to interpret the flag to determine if the session was decrypted or not. Instead you'll need bit arithmetic.
If we look at the transforms.conf of the tech addon, you'll see that they use delimiter based extractions instead of regular expressions to extract the field as session_flags. They then in the props.conf use some math to convert the single session_flags field into a multi-valued flags field... this is EVAL-flags in props.conf in the TA.
The flag you're asking about in particular:
if(floor(tonumber(session_flags,16) / pow(2, 24))%2==0,null(),"decrypted")
EDIT: And thanks to this answer by @martin_mueller I realize there's a bug in that line in the TA, and we need to add a %2 into it... so updated.
And issue logged with the TA: https://github.com/PaloAltoNetworks/Splunk_TA_paloalto/issues/17
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why not use the app?
If you'll post some sample events and the fields you want extracted from them, we can help craft a regex string or find some other way to get what you need.
If this reply helps you, Karma would be appreciated.
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
