All Apps and Add-ons

MS Windows AD Objects change objectClass


I have a unique situation where some of my users have a slightly different objectClass than usual and I'm trying to find a way to mask that so the default searches in the MS AD Objects app work properly

Basically the users are being parsed as objectClass="top|otherClass|person|organizationalPerson|user"

I want to selectively remote otherClass using a transform or props stanza but i'm unable to do so. I've tried the following on the indexer in the windows TA application:
REGEX = (?ms).objectClass=(top|)(?:otherClass|)(person|organizationalPerson|user).
FORMAT = objectClass::"$1$2"

TRANSFORMS-objectClass = msad_fix_objectClass

But it's not working properly. Anyone have ideas?

0 Karma


Oh I answered my own question....

I was going about it incorrectly, I needed to use SEDCMD rather than a transform. SEDCMD is also way easier and more straightforward but took a bit to get the syntax correct.

The pipe's in the input were throwing me off, needed to escape them with a backslash

replace top|otherClass|
with just top|
in all locations in the event (g)


Be sure you understand that this applies to _raw so make sure your match is specific and only ever matches that string. this is why i made sure to include the top| parameter. hopefully these don't move around arbitrarily 🙂

props.conf (on the indexer and search head--honestly not sure which worked)

SEDCMD-fixObjectClass = s/top\|otherClass\|/top\|/g
0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...