local = Trueto force the command to only run on the search head
This search command is packaged with the following external libraries:
+ Splunk SDK for Python version 1.6.6 (http://dev.splunk.com/python)
+ FuzzyWuzzy 0.17.0 (https://github.com/seatgeek/fuzzywuzzy)
Nothing further is required for this add-on to function.
Follow standard Splunk installation procedures to install this app.
| fuzzy wordlist="svchost.exe" type="simple" compare_field="tester" output_prefix="fuzz" delims="(\\\\)"
| fuzzy wordlist=Creator_Process_Name compare_field=New_Process_Name
eventtype=win_process_new New_Process_Name=* | fuzzy wordlist="svchost.exe" compare_field="New_Process_Name"
eventtype=proxy_logs domain=* | fuzzy wordlist="companydomain1.com,companydomain2.com,companydomain3.com" compare_field="domain"
There is a nested loop of death whereby the provided wordlist is split and the given input is split. You can improve your performance in the following ways:
I use this command in production and will continue to work on improvements but considering the looping that is done, it may always have performance issues.
The ratio will contain a value, 0 to 100, where 100 is a perfect match. The word values will contain what actually matched in the input/wordlist combination.
If support is required or you would like to contribute to this project, please reference: https://gitlab.com/johnfromthefuture/TA-fuzzy. This app is supported by the developer as time allows.
+ Attempted to make library import more dynamic to fix a possible issue with distributed searching.
+ Updated splunk-sdk to 1.6.14
+ Updated fuzzywuzzy to 0.18.0
+ Tested compatibility with Splunk 8.1
Tested compatibility with Splunk 8 / py3.
+ Updated fuzzywuzzy library to 0.17
+ Minor code update for future py3 compat
+ Tested compatibility with Splunk 7.3
+ Removed configuration to force command to run locally to support distributed streaming
+ Tested compatibility with Splunk 7.2
+ Added user requested feature to supply a wordlist from a field in a given event
+ Confirmed compatibility with Splunk 7.1
+ Added appicon images for compatibility with certification.
+ Documentation updates based on appinspect output.
+ Bug fixes to support multivalue input fields again
+ Migrated from intersplunk to the Splunk SDK for Python.
+ Updated fuzzywuzzy library to latest release
+ Updated readme file to markdown syntax
+ Verified compatibility with Splunk 7.0
+ Set option `local = True` to force the command to only run on the search head
+ Made a number of workflow improvements, trying to increase command performance.
Minor script modifications changing the regex splitting assumptions. If you now choose not to specify a "delimiter" to split up the input field, the script will no longer default to splitting that field. I did this for performance reasons allowing for the possibility to preprocess data before passing it to this script.
I put in a bad try/except block typing try/else instead... Fixed.
- Adds minor error checking for a bad regex
- Adds searchbnf.conf for documentation and highlighting
- Minor changes to try to increase performance of the script
- Verified app continued to function with Splunk 6.5
Version 1.0: Custom search command implementation of FuzzyWuzzy libraries. Reference: https://github.com/seatgeek/fuzzywuzzy
Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.