Hi @gcusello . Thanks very much for the help, in the end I went with... ... severity="Critical"   | eventstats count(ID) AS countID by severity, Name   | eval name_count=Name." (".countID.")"   | rex field=name_count "\((?<newcountID>\d+)\)$"  | stats count by name_count, newcountID  | sort – newcountID  | fields - newcountID, count  | rename name_count AS "Signatures (count)"  ... View more

Hi @gcusello , here's my full search... ... severity IN ("Critical", "High", "Medium") | eventstats count(ID) AS countID by severity, Name | eval name_count=Name." (".countID.")" | stats values(name_count) AS Signatures by severity | rex field=Signatures "\((?<countID>\d+)\)$" | sort severity, -countID | fields - countID   Unfortunately, due to the nature of the information, I can't share the results but I can tell you that the order of the Signatures column hasn't changed. I've even kept the countID column in and the numbers aren't sorted. I've tried "| sort severity, -num(countID)" as well but it does nothing.   ... View more

Thanks for the pointers @gcusello . I've used what you've provided and I can extract the 'countID' value but when I try to sort by it all it does is sort the severity column and doesn't appear to do anything with the Signatures one. ... View more

I think that's what I'll be doing. Thanks very much for the help @richgalloway . ... View more

Hi @richgalloway , based on your reply I've had a stab at extracting the values from _raw via rex using the below (ignore the non-CIM-compliant names for now)... | rex field=_raw "(\"filterType\":\"Connection hostname\"\,\"arguments\":\{\}\,\"comparatorType\":\"display\"\,\"trigger\":\{\"value\":\"(?<conn_host>[a-z0-9_\.-]+)\"\}\}\,\{\"cfid\"|\"filterType\":\"Message\"\,\"arguments\":\{\}\,\"comparatorType\":\"display\"\,\"trigger\":\{\"value\":\"(?<msg>[a-z0-9_\.-]+)\"\}\}\,\{\"cfid\"|\"filterType\":\"Internal source device name\"\,\"arguments\":\{\}\,\"comparatorType\":\"display\"\,\"trigger\":\{\"value\":\"(?<src_new>[a-z0-9_\.-]+)\"\}\}\,\{\"cfid\"|\"filterType\":\"Internal destination device name\"\,\"arguments\":\{\}\,\"comparatorType\":\"display\"\,\"trigger\":\{\"value\":\"(?<dest_new>[a-z0-9_\.-]+)\"\}\}\,\{\"cfid\"|\"filterType\":\"Destination IP\"\,\"arguments\":\{\}\,\"comparatorType\":\"display\"\,\"trigger\":\{\"value\":\"(?<dest_ip>(?:(?:\d{1,3}\.){3}(?:\d{1,3}))|(?:(?:::)?(?:[\dA-Fa-f]{1,4}:{1,2}){1,7}(?:[\d\%A-Fa-z\.]+)?(?:::)?)|(?:::[\dA-Fa-f\.]{1,15})|(?:::))|\"filterType\":\"Destination port\"\,\"arguments\":\{\}\,\"comparatorType\":\"display\"\,\"trigger\":\{\"value\":\"(?<dest_port>\d+))" Unfortunately this is resulting in only one of the above fields being extracted for each event. I had hoped to avoid doing multiple individual rex's against _raw by putting each expression with a capture group (...|...|...). Am I missing some clever syntax here or is it just not possible? ... View more

Thanks for replying @richgalloway , the events come from an anomaly detection system and look like this (raw) - I've had to redact it quite heavily, hopefully it will still be of some use:  {"creationTime":...,"breachUrl":"https://.../.../...","commentCount":0,"pbid":1315000,"time":...,"model":{"name":"Compromise::Watched Domain","pid":11,"phid":8116,"uuid":"...","logic":{"data":[{"cid":14400,"weight":1},{"cid":14401,"weight":1},{"cid":14402,"weight":1},{"cid":14403,"weight":1}],"targetScore":1,"type":"weightedComponentList","version":1},"throttle":3600,"sharedEndpoints":false,"actions":{"alert":true,"...":{},"breach":true,"model":true,"setPriority":false,"setTag":false,"setType":false},"tags":["..."],"interval":3600,"sequenced":false,"active":true,"modified":"...","activeTimes":{"devices":{"93657":[{}],"2830":[{}],"636":[{}],"2957":[{}],"52344":[{}],"4329":[{}],"913":[{}],"44":[{}]},"tags":{},"type":"exclusions","version":2},"priority":5,"autoUpdatable":true,"autoUpdate":true,"autoSuppress":true,"description":"...","behaviour":"decreasing","defeats":[],"created":{"by":"..."},"edited":{"by":"...","userID"...},"version":24},"triggeredComponents":[{"time":...,"cbid":...,"cid":14400,"chid":25028,"size":1,"threshold":0,"interval":3600,"logic":{...}}}}},"version":"v..."},"metric":{"mlid":220,"name":"...","label":"Watched Domain"},"triggeredFilters":[{"cfid":111671,"id":"A","filterType":"Watched endpoint source","arguments":{"value":".+"},"comparatorType":"does not match regular expression","trigger":{"value":""}},{"cfid":111673,"id":"C","filterType":"Direction","arguments":{"value":"out"},"comparatorType":"is","trigger":{"value":"out"}},{"cfid":111675,"id":"E","filterType":"Internal source device type","arguments":{"value":"12"},"comparatorType":"is not","trigger":{"value":"Server"}},{"cfid":111676,"id":"d1","filterType":"Internal source device type","arguments":{},"comparatorType":"display","trigger":{"value":"Server"}},{"cfid":111677,"id":"d2","filterType":"Connection hostname","arguments":{},"comparatorType":"display","trigger":{"value":""}},{"cfid":111678,"id":"d3","filterType":"Destination IP","arguments":{},"comparatorType":"display","trigger":{"value":"1.2.3.4"}},{"cfid":111679,"id":"d4","filterType":"ASN","arguments":{},"comparatorType":"display","trigger":{"value":""}},{"cfid":111680,"id":"d5","filterType":"Country","arguments":{},"comparatorType":"display","trigger":{"value":""}},{"cfid":111681,"id":"d6","filterType":"Message","arguments":{},"comparatorType":"display","trigger":{"value":"politicweekend.com"}},{"cfid":111682,"id":"d7","filterType":"Watched endpoint","arguments":{},"comparatorType":"display","trigger":{"value":"true"}},{"cfid":111683,"id":"d8","filterType":"Watched endpoint source","arguments":{},"comparatorType":"display","trigger":{"value":""}}]}],"score":0.161,"device":{"did":74376,"ip":"5.6.7.8","ips":[{"ip":"5.6.7.8","timems":...,"time":"...","sid":512731}],"sid":512731,"firstSeen":...,"lastSeen":...,"devicelabel":"...","typename":"server","typelabel":"Server"}}   There's nothing wrong with my inline search. I'm trying to make the events CIM-compliant and fields like dest are contained in this new_trig mv field that I've spath'd and then regex'd out. So I want the CIM fields to be present in the index so things like the Intrusion Detection data model can be populated for use by Enterprise Security. Also, the regex's will differ according to the detection model that has been breached, i.e. the actual destination for an event might be called something different in 'trigger_name' according to the model being breached. ... View more

Hi @rnowitzki , thanks very much for the reply, I've used @ITWhisperer 's method and it's got me halfway there now. ... View more

Thanks very much @ITWhisperer , I should have spent more time looking at the mv eval functions, that's worked a treat. Now for the hard part... I now have an mv field containing thousands of details for each model breach, but because each model looks at different connections/activity, the src and dest information will be called different things (e.g. "Connection hostname:<value>", "Destination IP:<value>","Internal source device name:<value>" and so on). What would be the best way to extract those src and dest values (once I've obviously determined the correct name depending on which model is being breached - there's going to be 50+ models I'll have to do this for)? My search currently looks like this... ... | spath output=trigger_name path=triggeredComponents{}.triggeredFilters{}.filterType | spath output=trigger_value path=triggeredComponents{}.triggeredFilters{}.trigger.value | eval new_trig=mvzip(trigger_name,trigger_value,":") | stats count by model.name, new_trig Once I've got the matching src and dest fields for each model, where & how would I perform these extractions at search/index time? I already have a TA for the data, would I put it in props.conf, inputs.conf or somewhere else? Thanks again!  🙂 ... View more

Thanks @richgalloway that's worked! ... View more

Ah okay, thanks. Any suggestions on how I can accomplish my goal? ... View more

Hi, do you have any further details of the python script you mention? As far as I can see it doesn't already exist within the Azure AD TA. Has anyone else done this? Thanks in advance. ... View more

Hello everyone, Just wondering if, 10 years since this question was first asked, anyone has found a better solution for exporting custom visualisations to PDF? Thanks! ... View more

I also need to know this. I'm struggling to extract the 'CommandLine' field as everything below the 'RunspaceId' is missing when I try to extract new fields. I'm looking at event ID's 500 & 501 and using the app Splunk_TA_windows. UPDATE I think I've managed it by using the following in-line regex... | rex field="Message" ".CommandLine=(?.$)" ... View more

No, from reading the Splunk Docs it doesn't appear possible in this version. Happy to be proven wrong though... ... View more

Ah thanks FrankVI. From the looks of your screenshot you must be using a more-up-to-date version of DB Connect than me (2.4.0). Maybe time I did an upgrade! ... View more