All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

MS Windows AD Objects change objectClass

kmuellercm
Explorer
‎02-03-2020 04:50 PM

I have a unique situation where some of my users have a slightly different objectClass than usual and I'm trying to find a way to mask that so the default searches in the MS AD Objects app work properly

Basically the users are being parsed as objectClass="top|otherClass|person|organizationalPerson|user"

I want to selectively remote otherClass using a transform or props stanza but i'm unable to do so. I've tried the following on the indexer in the windows TA application:
transforms.conf:
[msad_fix_objectClass]
SOURCE_KEY = _raw
REGEX = (?ms).objectClass=(top|)(?:otherClass|)(person|organizationalPerson|user).
FORMAT = objectClass::"$1$2"

props.conf
[ActiveDirectory]
TRANSFORMS-objectClass = msad_fix_objectClass

But it's not working properly. Anyone have ideas?

0 Karma
Reply

kmuellercm
Explorer
‎02-04-2020 07:40 AM

Oh I answered my own question....

I was going about it incorrectly, I needed to use SEDCMD rather than a transform. SEDCMD is also way easier and more straightforward but took a bit to get the syntax correct.

The pipe's in the input were throwing me off, needed to escape them with a backslash

replace top|otherClass|
with just top|
in all locations in the event (g)

s/top\|otherClass\|/top\|/g

Be sure you understand that this applies to _raw so make sure your match is specific and only ever matches that string. this is why i made sure to include the top| parameter. hopefully these don't move around arbitrarily 🙂

props.conf (on the indexer and search head--honestly not sure which worked)

[ActiveDirectory]
SEDCMD-fixObjectClass = s/top\|otherClass\|/top\|/g
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...