All Apps and Add-ons

Possible bug: some field extractions of Splunk Add-on for Windows are not processed

Path Finder

Hi,

I have found a strange behaviour in the Splunk Add-on for Windows: it contains some transformations, used to extract CIM-compliant fields, which are not correctly processed. After some analysis, I found out that all the transforms which include a REGEX ending with an escaped "backslask" are not processed correctly.

For instance, this transformation is not processed at search time:

[Security_ID_as_dest_nt_domain]
SOURCE_KEY = Security_ID
REGEX = (.+)\\
FORMAT = dest_nt_domain::"$1"

In addition, when I try to edit these transformations using the GUI, I see that the existing REGEX is read by Splunk as:

(.+)\\FORMAT = dest_nt_domain::"$1"

In my opinion, something is going wrong when Splunk is parsing a regex ending with an escaped backslash.

Has anybody incurred the same problem? I am using Splunk 6.2.0 and SplunkTAwindows 4.7.4 (but I see the same regex in transforms.conf of SplunkTAwindows 4.7.5).

At present, as a workaround, I have created a "transforms.conf" in SplunkTAwindows/local , overriding the transforms which use regular expressions ending with an escaped backslash. I rewrite the REGEX enclosing the ending backslashes in square brackets.

For instance, the above mentioned transformation becomes:

[Security_ID_as_dest_nt_domain]
SOURCE_KEY = Security_ID
REGEX = (.+)[\\]
FORMAT = dest_nt_domain::"$1"
0 Karma
1 Solution

Path Finder

Workaround seems to work correctly.

View solution in original post

0 Karma

Path Finder

Workaround seems to work correctly.

View solution in original post

0 Karma

Path Finder

Actually the workaround seems to work correctly: in these weeks I had not any problem with the extractions. However I submitted a "bug report" to Splunk.

I think this question can be closed, considering the workaround as solution.

0 Karma