Dear fellow Splunkers,
The export policies retrieved by the Splunk app Splunk_TA_ontap (sourcetype=ontap:nfsexports) aren't parsed correctly when comma separated values are used.
In the Netapp export policies comma separated values can be used for protocol, rorule, rwrule and superuser. In the _raw Splunk events you can also see that a dictionary was made for those fields. However, they always just return the first value:
`{
anonymous-user-id:12345
super-user-security: {
security-flavor: sys
}
vserver-name: somehost
is-allow-set-uid-enabled: true
client-match: 123.123.123.123/23
ro-rule: {
security-flavor: sys
}
rw-rule: {
security-flavor: sys
}
export-ntfs-unix-security-ops: fail
rule-index: 1
export-chown-mode: restricted
policy-name: policy-name
is-allow-dev-is-enabled: true
protocol: {
access-protocol: nfs3
}
I think this is caused by the generalTwoLevelFlatten method in the Splunk_TA_ontap/bin/ta_ontap/OntapFormatters.py file. Which is documented as:
"""
Simple flattener for xml responses where we want to
break events after two levels of wrapper E.G.:
<results status='passed'>
<aggregates>
<aggr-space-info>
EVENT
</aggr-space-info>
<aggr-space-info>
EVENT
</aggr-space-info>
<aggr-space-info>
EVENT
</aggr-space-info>
</aggregates>
</results>
RETURNS an array of JSON strings
"""
Does anyone have the same issue? And does anyone know a solution?