Splunk.Events.Clients

[Xavier Mertens]

Hi *,

Who’s using the artifact Splunk.Events.Clients?
I deployed it, works smoothly but (there is always a “but” ;-), I get only a ClientId field and it’s not easy to identify the host behind the event.
I tried to automate the export of a lookup table to add the corresponding host name but is there a better way to beautify Splunk events?
It is possible to get, by example, the client tags in Splunk?

/x

[Mike Cohen]

 Internally, Velociraptor uses client id to uniquely identify the client. You can either do the join on the splunk side as you indicated or you can also resolve the hostname on the velociraptor side and just push denormalized data to the splunk side - depending what is easiest for you.

To resolve the client id -> hostname say you can use the client_info() function

for example in that artifact you can add the following

```vql

LET events = SELECT * FROM foreach(
          row=artifacts_to_watch,
          async=TRUE,   // Required for event queries in foreach()
          query={
             SELECT *, "Artifact_" + Artifact as _index,
                    Artifact,
                    timestamp(epoch=now()) AS timestamp, 

                    client_info(client_id=client_id).os_info.hostname AS Hostname
             FROM watch_monitoring(artifact=Artifact)
          })

```

To enrich the output with the hostname as well.

Thanks

Mike

Mike Cohen  Digital Paleontologist,  Velocidex Enterprises E mi...@velocidex.com

--
You received this message because you are subscribed to the Google Groups "velociraptor-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to velociraptor-dis...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/velociraptor-discuss/06D4FE3F-8F8E-4420-BF5A-D4CD7EE5C9FD%40gmail.com.

[Xavier Mertens]

Tx Mike!

I updated my artefact, really cool!