Hi Everyone  I am trying to create an investigation in ES using SPL. Since ES is most work as lookup/kvstore, so I try to run the following SPL | makeresults | eval class_name="investigation", collaborators="[{\"name\": \"AAAAAA\", \"write\": true}, {\"name\": \"BBBBBB\", \"write\": true}]", create_time=1668731443, creator="CCCCCC", description="DDDDDDD", mod_time=1668731608, status="[{\"name\": \"In Progress\", \"time\": 1668739809, \"id\": \"investigation:2\"}]", title="EEEEEEE", version=1, comments="[]", tags="[]" | table class_name, collaborators, create_time, creator, description, mod_time, status, title, version, comments, tags | outputlookup append=true investigation I am able to add an entry in the KV store, but when I load the investigation tab in ES is breaks and appear Error as "Expect an array" and not able to load the page   Has anyone done this before?   Is that the right way, or is there another way to use SPL to create an investigation?            ... View more

Hi Everyone I have a some standard Windows log that is not in English, when I get the data in how can I translate it into English. Does Splunk can do this translation? Should it be done in the parsing phase when data getting in? Or should it be done in the searching phasing phase when writing correlation search ? Thank you for your help Cheers   ... View more

Hi Everyone I am trying to detect RDP connection to a remote host. I read up some web post suggests looking for 4624 with logon type 10 event. I made an RDP to a remote host, however all 4624 evens I can see is logon type 3. Then I realize 4624 events can be collected from 3 places The workstation where the user phycially present The AD: where the authentication takes place The remote host: where the user wants to log in, which is the destination host. I am wondering whether the logon type 10 events only occur on the remote host and on the AD log the 4624 event will have logon type 3 instead. Anyone has come across this kind of situation before? Thank you for the help. Cheers Linsong ... View more

This question may not 100% related with Splunk but I am sure Splunker had done this many times so I thought I will just ask I want to identify the real destination when user logon a host using authenticate through DC like Kerobers or NTLM. I looked at event 4624, 4768,4771 on the DC log, they only have real src information, but I cant find the real dest information in these event. Is there another event I should look at or it is some field is missing on these events? my example as below user A using host A to logon to host C by go through DC B. and I only collect log at DC B, so I want to know how to identify the host C information from the log in this scenario. Thank you in advanced. ... View more

Hi Everyone, I am practicing the event and having problem doing search on the dataset. When I just search the answer, I can see the event, but when I use Splunk search query, the answer is not appearing for some reason. Question: What is the name of the file that defaced the imreallynotbatman.com website? Please submit only the name of the file with extension (For example "notepad.exe" or "favicon.ico") Answer is poisonivy-is-coming-for-you-batman.jpeg so if I just search poisonivy-is-coming-for-you-batman.jpeg it gives me two events However when I do search sourcetype=suricata src_ip=192.168.250.70 | table url | search url=*batman* it does not give me that event and this happens to a lot of questions. Any suggestions of what is happening? updated to mark code for you - dmj ... View more

Hi I have a field with following value 16/08/2018 03:04:11 - Christian (Work notes) Remote Desktop Notes: - still unable to remote in to the machine 10/08/2018 07:11:53 - Christian (Work notes) Remote Desktop Notes: - machine is offline - 08/08/2018 01:11:53 - Sam (Work notes) Remote Desktop Notes: - machine is comprimised This is all job comments relate with the work and I want to get the last comment only of the job which will be the string between the first and second timestamps - Christian (Work notes) Remote Desktop Notes: - still unable to remote in to the machine I tried use following regex in regex101.com, it seems works fine. ^\d{2}\/\d{2}\/\d{4}\s\d{2}:\d{2}:\d{2}\s-\s(?<lastcomment>.+?(?=\d{2}\/\d{2}\/\d{4}\s\d{2}:\d{2}:\d{2}\s-\s)) But when I put the rex into the query it does not return anything ... | rex field=work_notes "^\d{2}\/\d{2}\/\d{4}\s\d{2}:\d{2}:\d{2}\s-\s(?<lastcomment>.+?(?=\d{2}\/\d{2}\/\d{4}\s\d{2}:\d{2}:\d{2}\s-\s))" | table number lastcomment so I am doing some testing and find the problem is splunk miss reading the ")" as if I do following query ... rex field=work_notes "^\d{2}\/\d{2}\/\d{4}\s\d{2}:\d{2}:\d{2}\s-\s(?<lastcomment>.*)" | table number lastcomment it return as Christian (Work notes) instead of the whole string as what ".*" expect to do Christian (Work notes) Remote Desktop Notes: - still unable to remote in to the machine 10/08/2018 07:11:53 - Christian (Work notes) Remote Desktop Notes: - machine is offline - 08/08/2018 01:11:53 - Sam (Work notes) Remote Desktop Notes: - machine is comprimised and if I put space between * and ) like below ...| rex field=work_notes "^\d{2}\/\d{2}\/\d{4}\s\d{2}:\d{2}:\d{2}\s-\s(?<lastcomment>.* )" | table number lastcomment it will return as Christian (Work Sorry for the long post, any suggestion what is going on there? ... View more