Skip to content

Commit 1d62810

Browse files
dmaislin-cribldmaislin-cribl
authored
Updated Classic Events Pack
A performance issue was identified with the Mask function when using the __raw internal field. The Classic Events pipeline is no longer using __raw.
1 parent 5069c0d commit 1d62810

File tree

4 files changed

+39
-37
lines changed

4 files changed

+39
-37
lines changed

README.md

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -36,6 +36,9 @@ Download the most recent .crbl file in the repo [`releases page`](https://github
3636

3737
## Release Notes
3838
---
39+
### Version 1.0.3 - 2022-04-01
40+
- Changed Classic Pipeline to work on _raw due to Mask performance issues on __internal fields.
41+
3942
### Version 1.0.2 - 2022-03-21
4043
- Minor cleanup
4144

default/pipelines/Perfmon/conf.yml

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@ groups:
33
kPcIuv:
44
name: Reduction Examples
55
index: 4
6-
disabled: false
6+
disabled: true
77
asyncFuncTimeout: 1000
88
functions:
99
- id: regex_extract
@@ -56,13 +56,13 @@ functions:
5656
digits: 0
5757
- id: drop
5858
filter: Page_Writes_sec==0
59-
disabled: false
59+
disabled: true
6060
conf: {}
6161
groupId: kPcIuv
6262
description: Drop via Filter
6363
- id: suppress
6464
filter: "true"
65-
disabled: false
65+
disabled: true
6666
conf:
6767
allow: 1
6868
suppressPeriodSec: 120
@@ -75,7 +75,7 @@ functions:
7575
description: Time based suppression
7676
- id: sampling
7777
filter: "true"
78-
disabled: false
78+
disabled: true
7979
conf:
8080
rules:
8181
- filter: IO_Data_Operations_sec==0
@@ -86,7 +86,7 @@ functions:
8686
description: Event sampling
8787
- id: aggregation
8888
filter: "true"
89-
disabled: false
89+
disabled: true
9090
conf:
9191
passthrough: false
9292
preserveGroupBys: true

default/pipelines/WindowsClassicEvents/conf.yml

Lines changed: 30 additions & 31 deletions
Original file line numberDiff line numberDiff line change
@@ -74,15 +74,6 @@ functions:
7474
2. Select Show internal fields
7575
3. Select Render Whitespace
7676
4. Internal fields are not passed to the Destination.
77-
- id: eval
78-
filter: "true"
79-
disabled: false
80-
conf:
81-
add:
82-
- name: __raw
83-
value: _raw
84-
description: Set internal __raw field (double underscore).
85-
groupId: 74Mz02
8677
- id: mask
8778
filter: "true"
8879
disabled: false
@@ -93,7 +84,7 @@ functions:
9384
- matchRegex: /({)([\S\s]+)([}{])gg/gm
9485
replaceExpr: "`${g1}${g2.replace(/[\\s\\r\\n]+/gm,' ')}${g3}`"
9586
fields:
96-
- __raw
87+
- _raw
9788
groupId: 74Mz02
9889
description: Event 4104 - Edge Case to handle early curly braces
9990
- id: mask
@@ -106,7 +97,7 @@ functions:
10697
- matchRegex: /\n\s+at\s/gm
10798
replaceExpr: "' at '"
10899
fields:
109-
- __raw
100+
- _raw
110101
groupId: 74Mz02
111102
description: Event 1309 - Stack Trace
112103
- id: mask
@@ -117,7 +108,7 @@ functions:
117108
- matchRegex: /^/
118109
replaceExpr: "'Timestamp='"
119110
fields:
120-
- __raw
111+
- _raw
121112
description: Add Timestamp key name to make it uniform like the rest of the event. The
122113
Timestamp field is removed (optional) at the end of the pipeline since
123114
_time is already extracted.
@@ -130,7 +121,7 @@ functions:
130121
- matchRegex: /^( +)/gm
131122
replaceExpr: "''"
132123
fields:
133-
- __raw
124+
- _raw
134125
description: Remove any beginning spaces in the event. Not all events have them, but
135126
in the test samples I reviewed, I did notice exceptions. Sometimes the
136127
spaces re-appear.
@@ -143,7 +134,7 @@ functions:
143134
- matchRegex: /$/
144135
replaceExpr: "' \\r\\n'"
145136
fields:
146-
- __raw
137+
- _raw
147138
description: Add a \s\r\n to the end of the event to make parsing easier, "Sometimes
148139
Regex is hard..."
149140
groupId: 74Mz02
@@ -155,7 +146,7 @@ functions:
155146
- matchRegex: /^Additional Data.*[\r\n]+/gm
156147
replaceExpr: "''"
157148
fields:
158-
- __raw
149+
- _raw
159150
groupId: 74Mz02
160151
description: Remove Additional Data line since it doesn't add any value
161152
- id: comment
@@ -206,7 +197,7 @@ functions:
206197
- matchRegex: /\n"/gm
207198
replaceExpr: "''"
208199
fields:
209-
- __raw
200+
- _raw
210201
description: Edge Cases to collapse events to same line when key is on line 1 and value
211202
is on line 2, etc. See Comment above
212203
groupId: 74Mz02
@@ -219,7 +210,7 @@ functions:
219210
- matchRegex: /^(.+?:)(\n)^(.+)/gm
220211
replaceExpr: "`${g1}${g3}`"
221212
fields:
222-
- __raw
213+
- _raw
223214
groupId: 74Mz02
224215
description: Event 1644 - Edge Case to collapse remaining events to same line when key
225216
is on line 1 and value is on line 2, etc.
@@ -236,7 +227,7 @@ functions:
236227
- matchRegex: / +\r/gm
237228
replaceExpr: "'\\r'"
238229
fields:
239-
- __raw
230+
- _raw
240231
description: Remove spaces at the end of each line.
241232
groupId: 74Mz02
242233
- id: mask
@@ -247,7 +238,7 @@ functions:
247238
- matchRegex: /\r+/gm
248239
replaceExpr: "''"
249240
fields:
250-
- __raw
241+
- _raw
251242
description: Remove Windows carriage returns characters displayed as␍which is the \r
252243
groupId: 74Mz02
253244
- id: mask
@@ -258,7 +249,7 @@ functions:
258249
- matchRegex: /^\n/gm
259250
replaceExpr: "''"
260251
fields:
261-
- __raw
252+
- _raw
262253
description: Remove empty lines. Sometimes these come back as you process events,
263254
merge event liens and I might repeat this when necessary.
264255
groupId: 74Mz02
@@ -274,7 +265,7 @@ functions:
274265
- matchRegex: "/: /gm"
275266
replaceExpr: "':'"
276267
fields:
277-
- __raw
268+
- _raw
278269
description: "Remove extra spaces and convert to single space and remove and spaces
279270
before or after the keys : values since Windows event structure are so
280271
unpredictable."
@@ -293,7 +284,7 @@ functions:
293284
- matchRegex: /}\n/gm
294285
replaceExpr: "'} '"
295286
fields:
296-
- __raw
287+
- _raw
297288
description: Escape required characters that the JSON format requires.
298289
groupId: 74Mz02
299290
- id: mask
@@ -306,7 +297,7 @@ functions:
306297
- matchRegex: /^((?:[\w()-]+ ?){1,4})(?=[:])([:])/gm
307298
replaceExpr: "`${g1.replace(/[\\s-]/gm,'_')}${g2}`"
308299
fields:
309-
- __raw
300+
- _raw
310301
description: Remove spaces in any Message Keys and replace with underscore
311302
groupId: 74Mz02
312303
- id: mask
@@ -323,7 +314,7 @@ functions:
323314
- matchRegex: /{\n/
324315
replaceExpr: "'{'"
325316
fields:
326-
- __raw
317+
- _raw
327318
description: Add Quote and Bracket to parent objects such as "Creator_Subject":{
328319
groupId: KaPK3t
329320
- id: mask
@@ -342,7 +333,7 @@ functions:
342333
- matchRegex: /\t/gm
343334
replaceExpr: "''"
344335
fields:
345-
- __raw
336+
- _raw
346337
description: Transform __raw into JSON, handling various event shapes and exceptions.
347338
groupId: KaPK3t
348339
- id: mask
@@ -363,7 +354,7 @@ functions:
363354
- matchRegex: /$/
364355
replaceExpr: "'\\n}'"
365356
fields:
366-
- __raw
357+
- _raw
367358
description: Transform __raw into JSON, handling various event shapes and exceptions.
368359
groupId: KaPK3t
369360
- id: mask
@@ -378,15 +369,15 @@ functions:
378369
- matchRegex: /^([^"{}][^=]+)=(.+)/gm
379370
replaceExpr: '`"${g1}":"${g2}",`'
380371
fields:
381-
- __raw
372+
- _raw
382373
description: Transform __raw into JSON, handling various event shapes and exceptions.
383374
groupId: KaPK3t
384375
- id: eval
385376
filter: "true"
386377
disabled: false
387378
conf:
388379
add:
389-
- value: __raw.match(/^([^"}{].*)/gm).join('\n')
380+
- value: _raw.match(/^([^"}{].*)/gm).join('\n')
390381
name: Message_Text
391382
description: Extract freeform text from __raw to MessageText for safekeeping.
392383
groupId: KaPK3t
@@ -402,7 +393,7 @@ functions:
402393
- matchRegex: /"\n"/
403394
replaceExpr: "'\",\\n\"'"
404395
fields:
405-
- __raw
396+
- _raw
406397
description: Remove freeform text from __raw because JSON requires a strict format.
407398
groupId: KaPK3t
408399
- id: serde
@@ -411,7 +402,7 @@ functions:
411402
conf:
412403
mode: extract
413404
type: json
414-
srcField: __raw
405+
srcField: _raw
415406
description: Extract JSON to top level fields where you can manage fields quickly and
416407
easily.
417408
groupId: KaPK3t
@@ -429,6 +420,7 @@ functions:
429420
- "!sourcetype"
430421
- "!host"
431422
- "*"
423+
cleanFields: false
432424
description: Push all top level fields and Serialize into _raw, exclude default Splunk
433425
fields first, and include the remaining fields.
434426
groupId: MHboFX
@@ -692,7 +684,14 @@ functions:
692684
description: Keep Cribl fields and the default Splunk fields and remove all unnecessary
693685
top level fields. Feel free to adjust for extracted meta fields.
694686
groupId: OW2pX5
687+
- id: serde
688+
filter: "true"
689+
disabled: true
690+
conf:
691+
mode: extract
692+
type: json
693+
srcField: _raw
695694
- id: drop
696695
filter: "['4688','4689'].includes(_raw.EventCode)"
697-
disabled: null
696+
disabled: true
698697
conf: {}

package.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1 +1 @@
1-
{"name":"cribl-windows-events","tags":{},"version":"1.0.2","author":"David Maislin - Cribl","description":"Streamlining Windows Events - Support for XML.Classic and NXLog event formats","displayName":"Microsoft Windows Events"}
1+
{"name":"cribl-windows-events","version":"1.0.3","author":"David Maislin - Cribl","description":"Streamlining Windows Events - Support for XML.Classic and NXLog event formats","displayName":"Microsoft Windows Events","tags":{}}

0 commit comments

Comments
 (0)