eval showing in btool props but does not appear in...

bmorgenthaler · ‎12-18-2019

Okay I'm pulling my hair out here. I'm playing around with Windows Defender Events, trying to capture them and get them in with CIM compliance. I've looked the TA on splunkbase but it's not working so I started extracting pieces to see what is going on. I have the event log (WinEventLog://Microsoft-Windows-Windows Defender/Operational) events being ingested and identified but my EVALS in the props.conf aren't getting through to search.

Here is a list of things I've looked at

btool check - syntax is correct
btool props list "WinEventLog:Microsoft-Windows-Windows Defender/Operational" --debug this shows all the EVALs that I'm expecting, including some static values I put in for testing
Web UI -> Settings -> Fields -> Calculated Fields has the EVALs listed and their permissions are global read

So a static EVAL (not a calculated one from a potentially missing field) shows in props, shows in the Calculated Fields list, but DOES NOT show up in a search. I feel like I'm missing something obvious and it's going to be a duh moment but I can't determine what I'm missing.

bmorgenthaler · ‎12-19-2019

And I found the answer, I needed to change the props.conf entry for that source from
[WinEventLog:Microsoft-Windows-Windows Defender/Operational]
to
[source::WinEventLog:Microsoft-Windows-Windows Defender/Operational]

Now everything is working. I knew it was a "duh" issue.

bmorgenthaler · ‎12-19-2019

@martynoconnor So I've removed most of the EVALs and have a single static value one configured. Here is the btool props list for the sourcetype, notice the single eval (EVAL-brenden) from TA-windefender/local/props.conf.

/opt/splunk/bin$ ./splunk btool props list "WinEventLog:Microsoft-Windows-Windows Defender/Operational" --debug

/opt/splunk/etc/apps/TA-windefender/local/props.conf      [WinEventLog:Microsoft-Windows-Windows Defender/Operational]
/opt/splunk/etc/system/default/props.conf                 ADD_EXTRA_TIME_FIELDS = True
/opt/splunk/etc/system/default/props.conf                 ANNOTATE_PUNCT = True
/opt/splunk/etc/system/default/props.conf                 AUTO_KV_JSON = true
/opt/splunk/etc/system/default/props.conf                 BREAK_ONLY_BEFORE =
/opt/splunk/etc/system/default/props.conf                 BREAK_ONLY_BEFORE_DATE = True
/opt/splunk/etc/system/default/props.conf                 CHARSET = UTF-8
/opt/splunk/etc/system/default/props.conf                 DATETIME_CONFIG = /etc/datetime.xml
/opt/splunk/etc/system/default/props.conf                 DEPTH_LIMIT = 1000
/opt/splunk/etc/apps/TA-windefender/local/props.conf      EVAL-brenden = "brenden"
/opt/splunk/etc/system/default/props.conf                 HEADER_MODE =
/opt/splunk/etc/system/default/props.conf                 LEARN_MODEL = true
/opt/splunk/etc/system/default/props.conf                 LEARN_SOURCETYPE = true
/opt/splunk/etc/system/default/props.conf                 LINE_BREAKER_LOOKBEHIND = 100
/opt/splunk/etc/system/default/props.conf                 MATCH_LIMIT = 100000
/opt/splunk/etc/system/default/props.conf                 MAX_DAYS_AGO = 2000
/opt/splunk/etc/system/default/props.conf                 MAX_DAYS_HENCE = 2
/opt/splunk/etc/system/default/props.conf                 MAX_DIFF_SECS_AGO = 3600
/opt/splunk/etc/system/default/props.conf                 MAX_DIFF_SECS_HENCE = 604800
/opt/splunk/etc/system/default/props.conf                 MAX_EVENTS = 256
/opt/splunk/etc/system/default/props.conf                 MAX_TIMESTAMP_LOOKAHEAD = 128
/opt/splunk/etc/system/default/props.conf                 MUST_BREAK_AFTER =
/opt/splunk/etc/system/default/props.conf                 MUST_NOT_BREAK_AFTER =
/opt/splunk/etc/system/default/props.conf                 MUST_NOT_BREAK_BEFORE =
/opt/splunk/etc/system/default/props.conf                 SEGMENTATION = indexing
/opt/splunk/etc/system/default/props.conf                 SEGMENTATION-all = full
/opt/splunk/etc/system/default/props.conf                 SEGMENTATION-inner = inner
/opt/splunk/etc/system/default/props.conf                 SEGMENTATION-outer = outer
/opt/splunk/etc/system/default/props.conf                 SEGMENTATION-raw = none
/opt/splunk/etc/system/default/props.conf                 SEGMENTATION-standard = standard
/opt/splunk/etc/system/default/props.conf                 SHOULD_LINEMERGE = True
/opt/splunk/etc/system/default/props.conf                 TRANSFORMS =
/opt/splunk/etc/system/default/props.conf                 TRUNCATE = 10000
/opt/splunk/etc/system/default/props.conf                 detect_trailing_nulls = false
/opt/splunk/etc/system/default/props.conf                 maxDist = 100
/opt/splunk/etc/system/default/props.conf                 priority =
/opt/splunk/etc/apps/Splunk_TA_windows/default/props.conf rename = wineventlog
/opt/splunk/etc/system/default/props.conf                 sourcetype =

My props.conf looks like so:

[WinEventLog:Microsoft-Windows-Windows Defender/Operational]
EVAL-brenden = "brenden"

martynoconnor · ‎12-19-2019

Do you have the actual EVAL statement? If an EVAL is applied, but doesn't actually evaluate out because of a no match/the logic doesn't function as expected, then you wouldn't see anything in your results.

If the EVAL is sensitive, can you post a sanitised version of it?

bmorgenthaler · ‎12-19-2019

That would be helpful now wouldn't it.

eval showing in btool props but does not appear in search

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes