All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

MS Windows AD Objects change objectClass

kmuellercm
Explorer
‎02-03-2020 04:50 PM

I have a unique situation where some of my users have a slightly different objectClass than usual and I'm trying to find a way to mask that so the default searches in the MS AD Objects app work properly

Basically the users are being parsed as objectClass="top|otherClass|person|organizationalPerson|user"

I want to selectively remote otherClass using a transform or props stanza but i'm unable to do so. I've tried the following on the indexer in the windows TA application:
transforms.conf:
[msad_fix_objectClass]
SOURCE_KEY = _raw
REGEX = (?ms).objectClass=(top|)(?:otherClass|)(person|organizationalPerson|user).
FORMAT = objectClass::"$1$2"

props.conf
[ActiveDirectory]
TRANSFORMS-objectClass = msad_fix_objectClass

But it's not working properly. Anyone have ideas?

0 Karma
Reply

kmuellercm
Explorer
‎02-04-2020 07:40 AM

Oh I answered my own question....

I was going about it incorrectly, I needed to use SEDCMD rather than a transform. SEDCMD is also way easier and more straightforward but took a bit to get the syntax correct.

The pipe's in the input were throwing me off, needed to escape them with a backslash

replace top|otherClass|
with just top|
in all locations in the event (g)

s/top\|otherClass\|/top\|/g

Be sure you understand that this applies to _raw so make sure your match is specific and only ever matches that string. this is why i made sure to include the top| parameter. hopefully these don't move around arbitrarily 🙂

props.conf (on the indexer and search head--honestly not sure which worked)

[ActiveDirectory]
SEDCMD-fixObjectClass = s/top\|otherClass\|/top\|/g
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...