Back to the Blog

Normalizing Data Fields using Eval and Case

Posted by Krishan Patel on Tuesday, October 13, 2015 - 09:15 Operational Intelligence Splunk, data model, windows, Mapping, Event Codes

BACKGROUND

Lately I’ve been working with a lot of Windows Security logs with different Event Codes. I wanted to set the field “src_user” but Splunk was auto-extracting field value pairs to other field names. This was particularly frustrating because I wanted to map events with different Event Codes to the same data model. In order to map different fields to “src_user,” I would need to normalize the different field names to “src_user.” Below, I go though an example using a case statement that worked perfectly and may be useful to others who come across a similar issue.

...
read more

Splunking Microsoft Windows Firewalls

Posted by Naveed Krabbe on Tuesday, April 14, 2015 - 11:38 Operational Intelligence Splunk, Security, Microsoft, windows, Firewall, Enterprise Security

Intro

Without exception, if you are an experienced security analyst, then you know the importance of firewall logs and the invaluable network traffic related data that they provide. Many of the key strategies of information security revolve around the network traffic of an organization and the rules that govern it. No matter the type of firewall, whether it is a hardware appliance or a software/OS level...

read more

MS Windows, Splunk App for Enterprise Security 3.0 and the Case of the Disappearing Assets and Identities

Posted by Ridwan Ahmed on Friday, March 28, 2014 - 15:33 Operational Intelligence Enterprise Security, ES, Splunk, troubleshooting, windows

Are you wondering where your Assets are?  Why you can't find your identities, perhaps? Are you on Windows? With the recent release of version 3.0, there has been huge improvements in the power of the ES app, and the ease of its use. The Assets and Identities are one of the cornerstones of the ES app, and there is a major change in the way these files operate in ES 3.0 compared to ES 2.4.

Asset management provides additional information about the source and targets of events. This information can be used to correlate multiple events to a single host, identify the location of the host...

read more
Stay In Touch