cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
jnames10
Explorer
Member since: ‎08-27-2018
‎10-12-2021
Community Statistics
Posts 7
Solutions 0
Karma Given 3
Karma Received 2
Member Since ‎08-27-2018
Activity Feed
View All

Re: ingesting nmap xml output

by in Splunk Search
‎10-12-2021 02:53 PM
‎10-12-2021 02:53 PM
@PickleRickthanks for taking the time to do that. I fired up Splunk Enterprise and tried it and ok first time like you said. There is a complication around with my Splunk Cloud or just Splunk Cloud. Will do some more fiddling! Thanks again. ... View more

Re: ingesting nmap xml output

by in Splunk Search
‎10-12-2021 02:51 PM
‎10-12-2021 02:51 PM
@kamlesh_vaghelathank you very much for that. i was very helpful! I am able to build some tables. It looks like Splunk Cloud is treating the XML input differently and not importing it in the same way as Splunk Enterprise. I am still fiddling to try and get it working but the regex you've done is really appreciated! Thank you! ... View more

Re: ingesting nmap xml output

by in Splunk Search
‎10-11-2021 05:04 AM
‎10-11-2021 05:04 AM
I am jealous! Can you share the source type settings or did you just accept the auto/defaults? any changes to line breaking or kv_mode? Thanks! ... View more

Re: ingesting nmap xml output

by in Splunk Search
‎10-09-2021 11:17 AM
‎10-09-2021 11:17 AM
Hi Kamlesh, Thanks for taking a look. I wondered if it might have to be search time extraction. The fields would be addr, name, portid, state Ideally I want to end up with output I can go on to use in further searches, so if I had a table like below I could outputlookup it into a lookup table to use again. addr name portid state portid state portid state and on for each portid value in event 81.123.123.123 host.name.resolved.com 21 filtered 22 open 23 open                       or would I be better to have it like this?: addr name portid state 81.123.123.123 host.name.resolved.com 21 filtered 81.123.123.123 host.name.resolved.com 22 open 81.123.123.123 host.name.resolved.com 23 open next ip next name etc etc      thanks again ... View more

ingesting nmap xml output

by in Splunk Search
‎10-07-2021 03:18 PM
1 Karma
‎10-07-2021 03:18 PM
1 Karma
I have been trying to get nmap output into Splunk. I thought the xml output would be nice and straightforward! Whilst the events are separated, the issue is having multiple values of the same field in an event. automatic field extractions pick up the first <port... section but the rest are ignored. I tried using KV_MODE=xml but that didn't make a difference. I thought Splunk was quite happy pulling in multi values with xml but maybe its not quite the xml Splunk is expecting. I am on Splunk Cloud so cli changes are not an option. Any pointers appreciated! Thanks.      <host starttime="1633560153" endtime="1633560291"><status state="up" reason="timestamp-reply" reason_ttl="34"/> <address addr="81.123.123.123" addrtype="ipv4"/> <hostnames> <hostname name="host.name.resolved.com" type="PTR"/> </hostnames> <ports><port protocol="tcp" portid="21"><state state="filtered" reason="no-response" reason_ttl="0"/><service name="ftp" method="table" conf="3"/></port> <port protocol="tcp" portid="22"><state state="filtered" reason="no-response" reason_ttl="0"/><service name="ssh" method="table" conf="3"/></port> <port protocol="tcp" portid="23"><state state="filtered" reason="no-response" reason_ttl="0"/><service name="telnet" method="table" conf="3"/></port> <port protocol="tcp" portid="80"><state state="filtered" reason="no-response" reason_ttl="0"/><service name="http" method="table" conf="3"/></port> <port protocol="tcp" portid="443"><state state="filtered" reason="no-response" reason_ttl="0"/><service name="https" method="table" conf="3"/></port> <port protocol="tcp" portid="8000"><state state="filtered" reason="no-response" reason_ttl="0"/><service name="http-alt" method="table" conf="3"/></port> <port protocol="tcp" portid="8080"><state state="filtered" reason="no-response" reason_ttl="0"/><service name="http-proxy" method="table" conf="3"/></port> <port protocol="tcp" portid="8888"><state state="filtered" reason="no-response" reason_ttl="0"/><service name="sun-answerbook" method="table" conf="3"/></port> </ports> <times srtt="15851" rttvar="15851" to="100000"/> </host>     ... View more
Labels

Re: How do I use date_mday to create a table with ...

by in Splunk Search
‎08-27-2018 01:38 PM
‎08-27-2018 01:38 PM
Brilliant thank you - clearly a newbie question! Didn't think to combine them. Thanks again. ... View more

How do I use date_mday to create a table with mult...

by in Splunk Search
‎08-27-2018 12:45 PM
1 Karma
‎08-27-2018 12:45 PM
1 Karma
Hi Splunkers, newish user here... I'm looking at firewall logs, I want to create a table with number of blocked IP for each day, a cumulative daily average, number of daily block events, average events. I thought this (which works with a single pair of stats/streamstats lines) would work: index=phase1 action=block tag=site1 | stats dc(src) as dailyip by date_mday | streamstats avg(dailyip) as ip_average | stats count as dailyevt by date_mday | streamstats avg(dailyevt) as evt_average | table date_mday, ip_average, dailyip, dailyevt, evt_average and create a table like this.... date_mday ip_average dailyip dailyevt evt_average 4 3082 3082 5 3439 3260.5 6 3578 3366.33 7 4210 3577.25 8 2545 3370.8 But it doesnt work.... It looks like I cannot use date_mday across 2 strings like that? Can someone give me some hints (or a solution!!)? Many thanks. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎10-12-2021 07:19 PM
Karma from
Karma given to