I have events like so:     {"action": {"result": true, "type": "login"}, "actor": {"email": "test.email@domain.tld", "id": "0123456789abcdef0123456789abcdef", "ip": "1.2.3.4", "type": "user"}, "id": "01234567-89ab-cdef-0123-456789abcdef", "newValue": "audit", "oldValue": "review", "owner": {"id": "fedcba9876543210fedcba9876543210"}, "when": "2023-04-21T18:52:32Z", "account_name": "test_account"}     The props.conf file is as so:     [cloudflare_audit] NO_BINARY_CHECK=true INDEXED_EXTRACTIONS=JSON TIMESTAMP_FIELDS=when disabled=false pulldown_type=true     When I do this, I wind up with two records per event, split at that TIME_PREFIX setting, each record with the time found in "when". Things I've tried so far, based on the above: Adding "KV_MODE=none" -- The event is parsed as JSON, but the time is ignored Adding "TIME_PREFIX=when": "" and LINE_BREAKER=}$ -- The event is split on "when", again Removing "INDEXED_EXTRACTIONS=true" and adding "AUTO_KV_JSON=true" -- The event is parsed as JSON, but the time is ignored Two questions: How can I fix this so that it pulls in the timefield correctly, without any splitting of the JSON object? Why is it so difficult to ingest JSON logs? ... View more

We have this script in the Splunk_TA_windows_v8 app directory named nt6-repl-stat.ps1. I'm seeing a lot of errors in our _internal index around it. When I piece the errors together, I get: . : The term 'C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\bin\powershell\nt6-repl-stat.ps1' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. At line:1 char:3 + . 'C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windo ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (C:\Program File...6-repl-stat.ps1:String) [], CommandNotFoundException + FullyQualifiedErrorId : CommandNotFoundException What am I missing here? ... View more

As the question says: can a Universal Forwarder report an internal IP? It can clearly report the external IP, but that's not useful to me. ... View more

I installed the app CrowdStrike Falcon Intelligence Add-on on our Splunk heavy forwarder. I attempted to configure it, but the configure page doesn't load at all. When I check the browser's console, I see: External handler failed with code '1' and output: 'REST ERROR[1021]: Fail to decrypt the encrypted credential information - cannot concatenate 'str' and 'NoneType' objects'. See splunkd.log for stderr output. From splunkd.log: 06-01-2020 11:46:55.999 +0000 ERROR AdminManagerExternal - Unexpected error "<class 'splunktaucclib.rest_handler.error.RestError'>" from python handler: "REST Error [500]: Internal Server Error -- Traceback (most recent call last): File "/opt/splunk/etc/apps/TA-crowdstrike_falcon_intel/bin/ta_crowdstrike_falcon_intel/splunktaucclib/rest_handler/handler.py", line 113, in wrapper for name, data, acl in meth(self, *args, **kwargs): File "/opt/splunk/etc/apps/TA-crowdstrike_falcon_intel/bin/ta_crowdstrike_falcon_intel/splunktaucclib/rest_handler/handler.py", line 299, in _format_response masked = self.rest_credentials.decrypt_for_get(name, data) File "/opt/splunk/etc/apps/TA-crowdstrike_falcon_intel/bin/ta_crowdstrike_falcon_intel/splunktaucclib/rest_handler/credentials.py", line 184, in decrypt_for_get clear_password = self._get(name) File "/opt/splunk/etc/apps/TA-crowdstrike_falcon_intel/bin/ta_crowdstrike_falcon_intel/splunktaucclib/rest_handler/credentials.py", line 389, in _get string = mgr.get_password(user=context.username()) File "/opt/splunk/etc/apps/TA-crowdstrike_falcon_intel/bin/ta_crowdstrike_falcon_intel/solnlib/utils.py", line 154, in wrapper return func(*args, **kwargs) File "/opt/splunk/etc/apps/TA-crowdstrike_falcon_intel/bin/ta_crowdstrike_falcon_intel/solnlib/credentials.py", line 118, in get_password all_passwords = self._get_all_passwords() File "/opt/splunk/etc/apps/TA-crowdstrike_falcon_intel/bin/ta_crowdstrike_falcon_intel/solnlib/utils.py", line 154, in wrapper return func(*args, **kwargs) File "/opt/splunk/etc/apps/TA-crowdstrike_falcon_intel/bin/ta_crowdstrike_falcon_intel/solnlib/credentials.py", line 272, in _get_all_passwords clear_password += field_clear[index] TypeError: cannot concatenate 'str' and 'NoneType' objects ". See splunkd.log for more details. I tried installing the app on my local trial version of Splunk Enterprise, and the configure page loads, and I'm able to add the streaming API key and secret successfully. I tried being hacky and copying my local passwords.conf file onto the heavy forwarder server in the same path/location, and making sure the file permissions were the same, to no avail. The config page still doesn't load, and the app still isn't configured. What am I missing? (Updated: My bad, there are multiple CrowdStrike issues.) ... View more

The context: We have an integration between a tool and AD using agents. Every so often, the tool reports that the agent disconnected, and then about 5-20 minutes later, it'll say the agent reconnected. I already have a search that uses transaction to get me what I need in general, but it's not quite what I'm looking for. The draft: index="connector" eventType="ad.agent.connect" | rex field=target "\"displayName\": \"(?<agent>[^\"]+)\".+" | transaction agent startswith="ad.agent.disconnected" endswith="ad.agent.reconnected" | table _time, displayMessage, agent | sort _time What I actually want: Only events that do not have an event "ad.agent.reconnected" within 30 minutes of the "ad.agent.disconnected" event. maxspan isn't doing it for me; I need something more like minspan , or invert=true , or something. The agent name isn't unique enough to go "if you never see this field again". Help? ... View more

I'm running this search: | rest/servicesNS/-/-/saved/searches | search disabled=0 AND is_scheduled=1 AND eai:acl.sharing!="user" AND alert_type!="always" | fields title author actions action.email.to | sort title One of the results I get back shows the actions as "email, sendmn". However, I can't find any correlation between "sendmn" and anything about the alert it's related to. What does this field refer to? ... View more

The context: I'm looking for sensitive information patterns showing up in the IIS sourcetype that we have. What I can already do: I can run this search: sourcetype="iis" | rex field=_raw "[^(^|[0-9])](?<ccmaybe>(5[1-5][0-9]{14})|(4[0-9]{12}([0-9]{3})?)|(3[47][0-9]{13})|(6011[0-9]{12})|((30[0-5]|36[0-9]|38[0-9])[0-9]{11}))" | search ccmaybe!="" | table ccmaybe What I need is the field this shows up in, largely so I can exclude known fields that will never have that data. But I do not at all want to specify each and every field that are in IIS logs: partly because that query would be tremendous, and partly because what if we add items to the logs? What should I do? [edit 9/11] Updating with an example: 2018-09-11 18:25:33 172.0.0.1 GET /App/Admin/Login.aspx - 443 - 192.168.0.1 Mozilla/5.0+(Macintosh;+Intel+Mac+OS+X+10_13_6)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/69.0.3497.81+Safari/537.36 - 302 0 0 0 127.0.0.1 1234567890abcdef-ABC - - TLSv1.2 The problem I'm having is, I want to search each field for anything that might have CC data, but I want to do this searching against the extracted fields, not against the raw data. I tried using the Luhn Splunk add-on, but it parses the entire raw log without spaces, which lumps everything together regardless of field. ... View more

I'm searching in our IIS logs. I'm looking for a web POST action. The problem is that this POST action happens after one gets to the object page, which is indicated with a URL parameter. So like, example data: _time x_uid cs_method cs_Referer cs_uri_stem cs_uri_query 2018-04-10 12:01:00 52634 POST http://ref.url/obj/p.htm http://ref.url/obj/p.htm 2018-04-10 12:00:30 52634 GET http://ref.url/obj http://ref.url/obj/p.htm 2018-04-10 12:00:00 52634 GET http://ref.url http://ref.url/obj ?id=123 The criteria I need to find is all times when someone POSTs on that specific page. What I want to also get is what ID was posted against (123, in the above example). Is that possible? I'm trying to read up on transactions and maps, but I'm not getting it. ... View more