Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About jeanyvesnolen
jeanyvesnolen
Path Finder
Member since:
03-28-2017
08-04-2020
Community Statistics
| Posts | 14 |
| Solutions | 0 |
| Karma Given | 2 |
| Karma Received | 4 |
| Member Since | 03-28-2017 |
Activity Feed
- Got Karma for Re: Python script errors(code 255) and Invalid start time errors. 06-05-2020 12:50 AM
- Karma Re: Field reference in search (Not in dashboard) (i.e. Token replacement in search) for micahkemp. 06-05-2020 12:49 AM
- Got Karma for Splunk Enterprise Security: Issue found in "SA-IdentityManagement" : Identity - Asset CIDR Matches - Lookup Gen. 06-05-2020 12:49 AM
- Got Karma for Splunk Enterprise Security: Issue found in "SA-IdentityManagement" : Identity - Asset CIDR Matches - Lookup Gen. 06-05-2020 12:49 AM
- Got Karma for Splunk Enterprise Security: Issue found in "SA-IdentityManagement" : Identity - Asset CIDR Matches - Lookup Gen. 06-05-2020 12:49 AM
- Karma Is it possible to get a list of available indices? for flo_cognosec. 06-05-2020 12:46 AM
- Posted Re: Call for review - Chrome/Firefox Extension to format XML Logs on Getting Data In. 05-27-2020 05:56 AM
- Posted Re: Splunk Enterprise Security: Issue found in "SA-IdentityManagement" : Identity - Asset CIDR Matches - Lookup Gen on Splunk Enterprise Security. 08-05-2019 12:58 AM
- Posted Call for review - Chrome/Firefox Extension to format XML Logs on Getting Data In. 04-02-2019 02:47 AM
- Tagged Call for review - Chrome/Firefox Extension to format XML Logs on Getting Data In. 04-02-2019 02:47 AM
- Tagged Call for review - Chrome/Firefox Extension to format XML Logs on Getting Data In. 04-02-2019 02:47 AM
- Posted Re: Python script errors(code 255) and Invalid start time errors on All Apps and Add-ons. 03-07-2019 02:23 AM
- Posted Re: Splunk Support for Active Directory: "SSLError at "/opt/splunk/lib/python2.7/ssl.py"...sslv3 alert handshake failure" on All Apps and Add-ons. 04-03-2018 06:31 AM
- Posted Splunk Enterprise Security: Issue found in "SA-IdentityManagement" : Identity - Asset CIDR Matches - Lookup Gen on Splunk Enterprise Security. 04-03-2018 03:58 AM
- Tagged Splunk Enterprise Security: Issue found in "SA-IdentityManagement" : Identity - Asset CIDR Matches - Lookup Gen on Splunk Enterprise Security. 04-03-2018 03:58 AM
- Tagged Splunk Enterprise Security: Issue found in "SA-IdentityManagement" : Identity - Asset CIDR Matches - Lookup Gen on Splunk Enterprise Security. 04-03-2018 03:58 AM
- Tagged Splunk Enterprise Security: Issue found in "SA-IdentityManagement" : Identity - Asset CIDR Matches - Lookup Gen on Splunk Enterprise Security. 04-03-2018 03:58 AM
- Tagged Splunk Enterprise Security: Issue found in "SA-IdentityManagement" : Identity - Asset CIDR Matches - Lookup Gen on Splunk Enterprise Security. 04-03-2018 03:58 AM
- Tagged Splunk Enterprise Security: Issue found in "SA-IdentityManagement" : Identity - Asset CIDR Matches - Lookup Gen on Splunk Enterprise Security. 04-03-2018 03:58 AM
- Posted Re: Field reference in search (Not in dashboard) (i.e. Token replacement in search) on Splunk Search. 02-06-2018 02:37 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 3 | |||
| 0 | |||
| 0 |
05-27-2020
05:56 AM
Hello everyone !
I'm please to announce that the extension has been release in version 2.3
It's currently passing the vetting process for both chrome and firefox.
Moreover the extension have been tested (by me) on the following browser
Chrome
OperaGX
Firefox
Feel free to test it, review it and it's page in order to increase its score because right now it's a bit low (maybe some bug in previous version but no more clues)
If you find any bugs :
- Open an issue on github or email me at jynolen+github@gmail.com with the following info (version of splunk you use) and if possible raw value of the xml you try to format (be sure to anomyse it before)
Thanks !
... View more
08-05-2019
12:58 AM
Hello !
The lookup is generated by the saved search "Identity - Asset CIDR Matches - Lookup Gen"
| `asset_sources` | `make_assets_cidr` | outputlookup output_format=splunk_mv_csv asset_lookup_by_cidr | stats count
The main issue you will get is that the saved search will overide qny content of asset_lookup_by_cidr (because there is no append=t in the query)
If you want to know exactly the format of the csv I think the best option you got is to hqve a look at "make_assets" macro which is
fillnull value="false" `extra_asset_fields` | `split_mv_asset_fields` | `gen_asset_id(asset_id)` | dedup asset_id | where isnotnull(asset_id) | expandiprange ip | `ubi_rewrite_ips` | eval `pci_category_meval(category)`, `pci_domain_meval(pci_domain, category)`, `tag_assets_meval` | `generate_asset_key` | fields `asset_key_field`,`asset_fields`
The what you are looking for is *| fields asset_key_field , asset_fields *
You will get the following after resolve all macros :
key, ip, mac,nt_host,dns, owner,priority,lat,long,city,country,bunit,category,pci_domain, is_expected, should_timesync, should_update, requires_av
the key field is the following : key=sha1(strcat( ip,mac,nt_host,dns))
Thanks to the doc(link text) you will hqve the correct format for each field.
... View more
04-02-2019
02:47 AM
Hello everyone,
I published a chrome/firefox extension to format XML Based Events and i want to share it with you. All source code is public and can be found here : https://github.com/jynolen/splunk_xml_formatter/ Feel free to open issues if any bugs etc.
The aim of the extension is to provide event formating for XML in the json-ish event based way.
Here the link for chrome and firefox: https://chrome.google.com/webstore/detail/splunk-xml-formatter/gdhdfmebcdkblbmpbmndclndfdpkcmnb https://addons.mozilla.org/fr/firefox/addon/splunk-xml-formatter/
Just for exemple here the difference before / after
... View more
Labels
- Labels:
-
XML
03-07-2019
02:23 AM
1 Karma
I found the issue here
In file management_activity.py line 119
now = self._now()
end_time = datetime.utcfromtimestamp(now)
start_time = end_time - timedelta(days=7)
The problem is that the time of performing all ranges of
self._normalize_time_range(start_time, end_time)
the latest time-range startTime is greater than 7 days
The workarround here is to set_up a control in portal.py line 126
--- a/splunk_ta_o365/bin/splunk_ta_o365/common/portal.py
+++ b/splunk_ta_o365/bin/splunk_ta_o365/common/portal.py
@@ -126,6 +126,10 @@ class O365Subscription(O365Portal):
def list_available_content(self, session, start_time, end_time):
for _start_time, _end_time in self._normalize_time_range(start_time, end_time):
items = list()
+ min_start_date = datetime.utcnow() - timedelta(days=7) + timedelta(minutes=1)
+ _start_time = max(min_start_date, _start_time)
+ if _end_time < min_start_date:
+ yield []
response = self._list_available_content(session, _start_time, _end_time)
while True:
array = response.json()
I have put
datetime.utcnow() - timedelta(days=7) + timedelta(minutes=1)
To be sure that the API will receive a not outdate startTime a avoid traffic impact
if _end_time < min_start_date:
yield []
Is here to be sure that the script will not query for an invalid range (if endTime is before the limit of 7 days no need no query this range)
Hope this helps
_time ContentType endTime startTime
**2019-03-07 11:15:00.105** Audit.Exchange 2019-02-28T12:06:18 **2019-02-28T11:16:00**
2019-03-07 11:14:52.109 Audit.Exchange 2019-02-28T13:06:18 2019-02-28T12:06:18
2019-03-07 11:14:44.943 Audit.Exchange 2019-02-28T14:06:18 2019-02-28T13:06:18
2019-03-07 11:14:39.220 Audit.Exchange 2019-02-28T15:06:18 2019-02-28T14:06:18
2019-03-07 11:14:31.087 Audit.Exchange 2019-02-28T16:06:18 2019-02-28T15:06:18
2019-03-07 11:14:24.550 Audit.Exchange 2019-02-28T17:06:18 2019-02-28T16:06:18
2019-03-07 11:14:23.513 Audit.Exchange 2019-02-28T18:06:18 2019-02-28T17:06:18
2019-03-07 11:14:23.043 Audit.Exchange 2019-02-28T19:06:18 2019-02-28T18:06:18
2019-03-07 11:14:22.062 Audit.Exchange 2019-02-28T20:06:18 2019-02-28T19:06:18
2019-03-07 11:14:20.283 Audit.Exchange 2019-02-28T21:06:18 2019-02-28T20:06:18
2019-03-07 11:14:17.829 Audit.Exchange 2019-02-28T22:06:18 2019-02-28T21:06:18
2019-03-07 11:14:15.291 Audit.Exchange 2019-02-28T23:06:18 2019-02-28T22:06:18
2019-03-07 11:14:13.837 Audit.Exchange 2019-03-01T00:06:18 2019-02-28T23:06:18
2019-03-07 11:14:11.430 Audit.Exchange 2019-03-01T01:06:18 2019-03-01T00:06:18
2019-03-07 11:14:10.963 Audit.Exchange 2019-03-01T02:06:18 2019-03-01T01:06:18
2019-03-07 11:14:09.427 Audit.Exchange 2019-03-01T03:06:18 2019-03-01T02:06:18
2019-03-07 11:14:09.080 Audit.Exchange 2019-03-01T04:06:18 2019-03-01T03:06:18
2019-03-07 11:14:08.340 Audit.Exchange 2019-03-01T05:06:18 2019-03-01T04:06:18
2019-03-07 11:14:06.699 Audit.Exchange 2019-03-01T06:06:18 2019-03-01T05:06:18
2019-03-07 11:14:04.601 Audit.Exchange 2019-03-01T07:06:18 2019-03-01T06:06:18
... View more
04-03-2018
06:31 AM
Maybe an issue with the rootca, is-it different between the file content in
[sslConfig]
sslRootCAPath=<path>
... View more
04-03-2018
03:58 AM
3 Karma
Hello,
We have issues to merge our dhcp_asset_list (made of dns record, mac and ip address) into the Asset & Identity Management subsystem.
I realize that there is a condition into a macro (I rebuilt the macro tree to be clear).
SA-IdentityManagement - Identity - Asset CIDR Matches - Lookup Gen
| `asset_sources`
| `make_assets_cidr`
| outputlookup output_format=splunk_mv_csv asset_lookup_by_cidr
====
| `asset_sources`
| `make_assets` | eval `asset_key_field`=mvfilter(match(`asset_key_field`, `ipv4_cidr_regex`)) | where isnotnull(`asset_key_field`)
| outputlookup output_format=splunk_mv_csv asset_lookup_by_cidr
====
| `asset_sources`
| fillnull value="false" `extra_asset_fields` | `split_mv_asset_fields` | `gen_asset_id(asset_id)` | dedup asset_id | where isnotnull(asset_id) | expandiprange ip | eval `pci_category_meval(category)`, `pci_domain_meval(pci_domain, category)`, `tag_assets_meval` | `generate_asset_key` | fields `asset_key_field`,`asset_fields`
| eval key=mvfilter(match(key, "^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/(\d|[12]\d|3[012])$")) | where isnotnull(key)
| outputlookup output_format=splunk_mv_csv asset_lookup_by_cidr
But the command expandiprange ip
Transforms fully qualified cidr like “192.168.1.1/32” into single IP "192.168.1.1" with not match the followed regex.
So if I do the following request (without expandiprange ) it works:
| makeresults | eval ip="192.168.10.20/32" |rename ip as key | eval key=mvfilter(match(key, "^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/(\d|[12]\d|3[012])$")) | where isnotnull(key)
But with expandiprange it doesn’t work:
| makeresults | eval ip="192.168.10.20/32" | expandiprange ip |rename ip as key | eval key=mvfilter(match(key, "^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/(\d|[12]\d|3[012])$")) | where isnotnull(key)
No results found.
As a workaround we have overridden the macro in one of our apps, but could you update the SA-IdentityManagement apps
Thank you.
... View more
02-06-2018
02:37 AM
As an aprovement I've done the folowing in order to "not" be confused by regex syntax
| eval rule_title=replace(rule_title,"\$","§")
| rename rule_title as TicketShort | foreach * [
| eval TicketShort=if(match(TicketShort, "§< >§"), replace(TicketShort, "§< >§",< >),TicketShort)
]
... View more
02-01-2018
01:51 AM
You can change to
\#!/bin/bash
To
#!/bin/bash
And
echo curl -H $curl \
-X $post \
-d $MESSAGE \
$url >> "/opt/splunk/bin/scripts/splunk-hiptest.out"
Should be
curl -H $curl \
-X $post \
-d $MESSAGE \
-o "/opt/splunk/bin/scripts/splunk-hiptest.out" \
$url
curl_exit_code=$?
echo $curl_exit_code >> /opt/splunk/bin/scripts/splunk-hiptest.out
exit $curl_exit_code
... View more
02-01-2018
01:41 AM
To reduce DC memory impact you can change
[stats]
dc_digest_bits=9
But the result can be approximative =/
limits.conf reference
... View more
02-01-2018
01:30 AM
(PS : I have to find the command to complete the "<>"
... View more
02-01-2018
01:29 AM
Hello,
I try with no success since here to do something like :
| makeresults | eval super_important_field="super_important_value"| eval Rule_Tile="Some interesting Rule Title about $super_important_field$" | <<SOMETHING>>
To at the end got a fields containing :
"Some interesting Rule Title about some_super_important_value"
Just like token replacement in dashboard but in search.
... View more
03-28-2017
05:42 AM
For now, I don't have the time to try it
I'll try in a soon future and keep you update
... View more
03-28-2017
02:52 AM
You could use a scripted lookup with a small python script doing conversion
transforms.conf
[hex_converter]
external_cmd = hex_converter.py hexstring floatnum
fields_list = hexstring , floatnum
You can after use it with (if number_hex is your field)
| lookup hex_converter hexstring AS number_hex
And you can run it automatically if you want see (automatic lookup)
... View more
03-28-2017
02:44 AM
Hello All !
I ask myself what is the best approach to extract all fields of logs with regex in general.
I speak here of Search Time Extraction.
Is it better for performance to write 1 BIG regex with all capturing groups in a TRANSFORMS like
<props>
[bar]
TRANSFORM-foo_props = foo
<Transform>
[foo]
SOURCE_KEY = _raw
REGEX = .+?\,(.+?)\,(.+?)\,(+?)\,(\w{1,25}.+?)\,(.+?)\,(.+?)\,(.+?)\,(.+?)\,(.+?)\,(.+?)\,(.+?)\,(*)
FORMAT = src::$1, user::$2, http_user_agent::$3 ........... custom_tag::$11
Or multiple light REGEX like
<props>
[bar]
EXTRACT-foo_src = (?:.+?\,){1}(?P<src>.+?),
EXTRACT-foo_user = (?:.+?\,){2}(?P<user>.+?),
EXTRACT-foo_http_user = (?:.+?\,){3},(?P<http_user_agent>.+?
....
EXTRACT-foo_http_user = (?:.+?\,){11},(?P<custom_tag>.+?)
The regex is just an exemple, no need to comment it !
Thank you
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
08-04-2020
09:34 AM
|
