The btool shows you the merged settings in the. This feature also makes it hard to figure at times which configuration value Splunk is currently using. Troubleshoot configurations with btoolĪs we know, Splunk Enterprise configuration file system supports many overlapping configuration files in many different locations/directories. Query = WITH s as (\r\nSELECT \r\n convert(datetime,SWITCHOFFSET(CONVERT(DATETIMEOFFSET(3), COALESCE(lastactivetime, disc.The splunk Btool is a command line tool designed to troubleshoot and help with configuration file issues, can be used to see what values are being used by your splunk instance. Query = with malware as (\r\nSELECT \r\n m.detectiontime as ,\r\n 'SystemCenterEndpointProtection' AS vendor_product,\r\n 'SecurityIncident' AS ,\r\n -'MalwareInfection' AS action_type,\r\n m.resourceid, \r\n sys.Netbios_Name0 as dest_name,\r\n sys.Resource_Domain_OR_Workgr0 as dest_nt_domain,\r\n m.detectiontime, \r\n m.actiontime, \r\n m.ProductVersion as product_version, \r\n m.detectionid, \r\n CASE \r\n WHEN m.DetectionSource = 0 THEN 'unknown' \r\n WHEN m.DetectionSource = 1 THEN 'user' \r\n WHEN m.DetectionSource = 2 THEN 'system' \r\n WHEN m.DetectionSource = 3 THEN 'realtime' \r\n WHEN m.DetectionSource = 4 THEN 'ioav' \r\n WHEN m.DetectionSource = 5 THEN 'nis' \r\n WHEN m.DetectionSource = 6 THEN 'bho' \r\n END AS detection_source,\r\n m.UserName as ,\r\n m.Process AS target_process, \r\n m.Path AS file_path, \r\n ISNULL(metaData.Name,'unknown') AS, \r\n IsNULL(sev.Severity,'unknown') AS severity, \r\n IsNULL(cat.Category,'invalid') AS category,\r\n CASE \r\n WHEN CleaningAction = 0 THEN 'unknown' \r\n WHEN CleaningAction = 1 THEN 'clean' \r\n WHEN CleaningAction = 2 THEN 'quarantine' \r\n WHEN CleaningAction = 3 THEN 'remove' \r\n WHEN CleaningAction = 6 THEN 'allow' \r\n WHEN CleaningAction = 8 THEN 'userdefined' \r\n WHEN CleaningAction = 9 THEN 'noaction' \r\n WHEN m.CleaningAction = 10 THEN N'block' \r\n END AS action_type, \r\n CASE \r\n WHEN CleaningAction = 0 THEN 'unknown' \r\n WHEN CleaningAction = 1 THEN 'blocked' \r\n WHEN CleaningAction = 2 THEN 'deferred' \r\n WHEN CleaningAction = 3 THEN 'blocked' \r\n WHEN CleaningAction = 6 THEN 'allowed' \r\n WHEN CleaningAction = 8 THEN 'unknown' \r\n WHEN CleaningAction = 9 THEN 'allowed' \r\n WHEN m.CleaningAction = 10 THEN N'blocked' \r\n END AS ,\r\n CASE \r\n WHEN m.ActionSuccess =1 THEN 'true' \r\n ELSE 'false' \r\n END AS action_result, \r\n m.ErrorCode AS action_error_code, \r\n CASE \r\n WHEN m.PendingActions
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |