All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Parsing AWS Managed Active Directory logs

sun1000
Path Finder
‎08-17-2021 09:42 PM

Hi Team,

Need help in parsing AWS Managed Active Directory

AD Team is writing logs to cloudwatch, and we have Splunk Addon for AWS which consumes these logs through Kinesis stream. 
I have props config to convert the logs to xmlwineventlog sourcetype after which data is parsed but not all the fields. I want the addon to parse using the source [xmlwineventlog:security] but that is not happening,

 

Here is my props config

[source://*securitylogs]
Transforms-Index=override_st_props,override_source_props

And transforms as below

[override_st_props]
REGEX=.
FORMAT = sourcetype::xmlwineventlog
DEST_KEY = MetaData:Sourcetype

[override_source_props]
REGEX = .
FORMAT = source::xmlwineventlog:security
DEST_KEY = MetaData:Source

It is getting changed on sourcetype and source, but parsing is happening based on sourcetype as per windows addon and not on source

Hope i made it clear, please help

Labels (1)
Labels
0 Karma
Reply
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...