Splunk Queries – syntax highlighting (a wordfile for Ultraedit)

Posted on by

Many people like to write Splunk queries in the Splunk search ‘console’:

I do it all the time too, but I really don’t like the web-based editors too much. Not only they miss lots of features one can get from a decent desktop editor, writing queries in a desktop editor ensures that I keep the copy on file, at least the base version which I can then leverage in the future (in fact, after a while, most of my Splunk queries are basically copypastas of some old queries with some ad hoc mods). Plus, not everyone is using the Splunk version that is offering the highlighting by default (as shown on the screenshot above).

My editor poison of choice is Ultraedit and for a while now I tried to find a wordfile for this program that would allow me to edit Splunk queries with a highlighted syntax. All I could find was a syntax file for VIM. Since I couldn’t find one for Ultraedit and the VIM one was a bit overblown for my purposes one rainy day I decided to create my own…

I wanted to include distinctive coloring:

  • search-related keywords (I group these into a few different buckets to emphasize various high-level search-oriented keywords, aggregate functions, math functions, string functions, etc. using a different color scheme for each) – this is not dictated by anything other than my own subjective ‘feeling’ about some keywords, so feel free to adjust to your needs
  • built-in functions
  • operators
  • numbers
  • common field names – as many as possible, this defo needs to be customized more for specific environments
  • common values – as above
  • etc.

This is work in progress, but it is already making a visual difference:

One can always mod the theme to better represent the Ultraedit color scheme and match one from Splunk, but hey… this is a home work exercise 😉

You can download the file from here.

If you want to add any stuff to it, please let me know.

If you want to convert it to a wordfile for any other editor, feel free as well – you can also let me know so I can link to it from this post so other people can find it.

Beyond good ol’ Run key, Part 83

Posted on by

If you ever downloaded a file using IE, Firefox, Chrome, Thunderbird you might have seen messages from these programs telling you that the files being downloaded are being scanned by the antivirus program. The way the scanning works on Windows is quie simple: the programs use IOfficeAntiVirus and IAttachmentExecute interfaces. These in turn rely on a Registry entries for COM objects that implement the ‘antivirus’ category and advertise it by adding ‘tags’ under their respective CLSID entries.

The ‘tag’ for IOfficeAntiVirus is a GUID 56FFCC30-D398-11D0-B2AE-00A0C908FA49). For example, ‘Windows Defender IOfficeAntiVirus implementation’ has the following Registry entry:

  • HKCR\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}
    • (Default) = Windows Defender IOfficeAntiVirus implementation
    • Implemented Categories
      • {56FFCC30-D398-11D0-B2AE-00A0C908FA49}

When IOfficeAntiVirus::Scan method is called by the programs (or internally via IAttachmentExecute) the system enumerates the Registry, collects info about all components implementing IOfficeAntiVirus, and stores them inside the following location:

  • HKCU\Software\Microsoft\Windows\
    CurrentVersion\Explorer\Discardable\
    PostSetup\Component Categories\
    {56FFCC30-D398-11D0-B2AE-00A0C908FA49}\
    Enum

and its 64-bit version equivalent:

  • HKCU\Software\Microsoft\Windows\
    CurrentVersion\Explorer\Discardable\
    PostSetup\Component Categories64\
    {56FFCC30-D398-11D0-B2AE-00A0C908FA49}\
    Enum

It then instantiates them, and calls the Scan method one by one. The Registry enumeration is quite slow so the caching mechanism (obviously) speeds things up (as a result, any new component added should always delete this cache to ensure it is properly loaded next time the Scan method is called).

The topic is very old, and there are tones of descriptions, discussions, and actual sample code snippets available online, but it’s always worth documenting possible persistence mechanisms.

References:

  • A source code showing on how to implement IOfficeAntiVirus component can be found here.
  • A good discussion about both interfaces (IOfficeAntiVirus and IAttachmentExecute) with regards to Firefox can be found here.
  • A source code of Firefox using these interfaces can be found here.
  • A good discussion about the interfaces, their internals and their impact on Chrome development can be found here.

And in case it’s not obvious yet, a custom component implementing IOfficeAntiVirus interface could act as a very persistent ‘antivirus’ 🙂