search

murchisd / splunk_pstree_app

Custom Splunk search command to reconstruct a pstree from Sysmon process creation events (EventCode 1)
22 stars 4 forks source link

Missing Event Fields Causing KeyError #6

Open tkreiner opened 2 years ago

tkreiner commented 2 years ago

I ran into an issue with a search today that caused the following error to appear in Splunk:

KeyError at "/opt/splunk/etc/apps/splunk_pstree_app/bin/pstree.py", line 113 : 'command_line'

I did some digging in the code and I realized that this error was being created because PSTree was being handed a field that didn't actually exist in the event results. This was because I was running a search in Fast Mode. I was able to get around this by either running in Verbose Mode, or adding FIELDNAME=* for each of the PSTree parameter fields to my initial search.

index=myindex sourcetype=mysourcetype parent_process_guid=* process_guid=* command_line=*
| pstree parent=parent_process_guid child=process_guid detail=command_line

The error that Splunk provided didn't give any good indication of the actual problem. It would be great to put some error checking at this point and provide an error that gives better context for the user to understand the issue.

murchisd commented 1 year ago

Hey @tkreiner, thanks for the input. I will take a look at adding more detailed description for specific errors.