local = True
to force the command to only run on the search headThis search command is packaged with the following external libraries:
+ Splunk SDK for Python version 1.6.6 (http://dev.splunk.com/python)
+ FuzzyWuzzy 0.17.0 (https://github.com/seatgeek/fuzzywuzzy)
Nothing further is required for this add-on to function.
Follow standard Splunk installation procedures to install this app.
Reference: https://docs.splunk.com/Documentation/AddOns/released/Overview/Singleserverinstall
Reference: https://docs.splunk.com/Documentation/AddOns/released/Overview/Distributedinstall
| fuzzy wordlist="svchost.exe" type="simple" compare_field="tester" output_prefix="fuzz" delims="(\\\\)"
(\\\\|/|\s+|;|-)
| fuzzy wordlist=Creator_Process_Name compare_field=New_Process_Name
eventtype=win_process_new New_Process_Name=* | fuzzy wordlist="svchost.exe" compare_field="New_Process_Name"
eventtype=proxy_logs domain=* | fuzzy wordlist="companydomain1.com,companydomain2.com,companydomain3.com" compare_field="domain"
There is a nested loop of death whereby the provided wordlist is split and the given input is split. You can improve your performance in the following ways:
I use this command in production and will continue to work on improvements but considering the looping that is done, it may always have performance issues.
The ratio will contain a value, 0 to 100, where 100 is a perfect match. The word values will contain what actually matched in the input/wordlist combination.
If support is required or you would like to contribute to this project, please reference: https://gitlab.com/johnfromthefuture/TA-fuzzy. This app is supported by the developer as time allows.
2.0.7
Tested compatibility with Splunk 8 / py3.
local = True
to force the command to only run on the search headMinor script modifications changing the regex splitting assumptions. If you now choose not to specify a "delimiter" to split up the input field, the script will no longer default to splitting that field. I did this for performance reasons allowing for the possibility to preprocess data before passing it to this script.
Version 1.2.1
I put in a bad try/except block typing try/else instead... Fixed.
Version 1.0: Custom search command implementation of FuzzyWuzzy libraries. Reference: https://github.com/seatgeek/fuzzywuzzy
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.