All Apps and Add-ons

Incorrect parsing of the NetApp export policies (sourcetype=ontap:nfsexports) by the Splunk_TA_ontap app

bramkostermans
Engager

Dear fellow Splunkers,

The export policies retrieved by the Splunk app Splunk_TA_ontap (sourcetype=ontap:nfsexports) aren't parsed correctly when comma separated values are used.

In the Netapp export policies comma separated values can be used for protocol, rorule, rwrule and superuser. In the _raw Splunk events you can also see that a dictionary was made for those fields. However, they always just return the first value:

`{
anonymous-user-id:12345
super-user-security: {
security-flavor: sys
}
vserver-name: somehost
is-allow-set-uid-enabled: true
client-match: 123.123.123.123/23
ro-rule: {
security-flavor: sys
}
rw-rule: {
security-flavor: sys
}
export-ntfs-unix-security-ops: fail
rule-index: 1
export-chown-mode: restricted
policy-name: policy-name
is-allow-dev-is-enabled: true
protocol: {
access-protocol: nfs3
}

}`

I think this is caused by the generalTwoLevelFlatten method in the Splunk_TA_ontap/bin/ta_ontap/OntapFormatters.py file. Which is documented as:

            """
            Simple flattener for xml responses where we want to
            break events after two levels of wrapper E.G.:
            <results status='passed'>
                            <aggregates>
                                            <aggr-space-info>
                                                            EVENT
                                            </aggr-space-info>
                                            <aggr-space-info>
                                                            EVENT
                                            </aggr-space-info>
                                            <aggr-space-info>
                                                            EVENT
                                            </aggr-space-info>
                            </aggregates>
            </results>

            RETURNS an array of JSON strings
            """

Does anyone have the same issue? And does anyone know a solution?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...