All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

MS Windows AD Objects change objectClass

kmuellercm
Explorer
‎02-03-2020 04:50 PM

I have a unique situation where some of my users have a slightly different objectClass than usual and I'm trying to find a way to mask that so the default searches in the MS AD Objects app work properly

Basically the users are being parsed as objectClass="top|otherClass|person|organizationalPerson|user"

I want to selectively remote otherClass using a transform or props stanza but i'm unable to do so. I've tried the following on the indexer in the windows TA application:
transforms.conf:
[msad_fix_objectClass]
SOURCE_KEY = _raw
REGEX = (?ms).objectClass=(top|)(?:otherClass|)(person|organizationalPerson|user).
FORMAT = objectClass::"$1$2"

props.conf
[ActiveDirectory]
TRANSFORMS-objectClass = msad_fix_objectClass

But it's not working properly. Anyone have ideas?

0 Karma
Reply

kmuellercm
Explorer
‎02-04-2020 07:40 AM

Oh I answered my own question....

I was going about it incorrectly, I needed to use SEDCMD rather than a transform. SEDCMD is also way easier and more straightforward but took a bit to get the syntax correct.

The pipe's in the input were throwing me off, needed to escape them with a backslash

replace top|otherClass|
with just top|
in all locations in the event (g)

s/top\|otherClass\|/top\|/g

Be sure you understand that this applies to _raw so make sure your match is specific and only ever matches that string. this is why i made sure to include the top| parameter. hopefully these don't move around arbitrarily 🙂

props.conf (on the indexer and search head--honestly not sure which worked)

[ActiveDirectory]
SEDCMD-fixObjectClass = s/top\|otherClass\|/top\|/g
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...