Just wondering if anybody has the issue whereby when you look at your event data such as the following fields
Account_Name
Account_Domain
etc..
If it finds the -
as a valid account_name or account_domain. I have a huge amount of domains showing up as -
.
When I looked at the regex in the TA, it has the following.
[New_Domain_as_dest_nt_domain]
SOURCE_KEY = New_Domain
REGEX = (.+)
FORMAT = dest_nt_domain::"$1"
So if the line matches anything even a -
it shows up.
So now my domain name looks like this (including new line)
dest_nt_domain = "-
DOMAIN"
Wouldn't a better regex be something like this?
.+[^$-]
It seems that it must be a bug. Anyone else experience this?
This is just one of the problems I had with the Splunk_TA_windows... so I desided to make my own windows app... all of the *as_dest_nt_domain regexes are incorrect, also the "wel-col-kv" regex is incorrect. This is what I have now in my transforms.conf:
# The default regex for the below 10 *_as_dest_nt_domain stanza is not correct for EventCodes that have more than one Account_Domain field.
# The Target Domain is always the second field, the default regex takes in case of two fields everything and not just the last one.
[Target_Domain_as_dest_nt_domain]
SOURCE_KEY = Target_Domain
REGEX = [\-\sa-zA-Z0-9]*(?:(?:\s)(.*))|(.*)
FORMAT = dest_nt_domain::"$1"
[Primary_Domain_as_dest_nt_domain]
SOURCE_KEY = Primary_Domain
REGEX = [\-\sa-zA-Z0-9]*(?:(?:\s)(.*))|(.*)
FORMAT = dest_nt_domain::"$1"
[Group_Domain_as_dest_nt_domain]
SOURCE_KEY = Group_Domain
REGEX = [\-\sa-zA-Z0-9]*(?:(?:\s)(.*))|(.*)
FORMAT = dest_nt_domain::"$1"
[Account_Domain_as_dest_nt_domain]
SOURCE_KEY = Account_Domain
REGEX = [\-\sa-zA-Z0-9]*(?:(?:\s)(.*))|(.*)
FORMAT = dest_nt_domain::"$1"
[New_Domain_as_dest_nt_domain]
SOURCE_KEY = New_Domain
REGEX = [\-\sa-zA-Z0-9]*(?:(?:\s)(.*))|(.*)
FORMAT = dest_nt_domain::"$1"
[Domain_as_dest_nt_domain]
SOURCE_KEY = Domain
REGEX = [\-\sa-zA-Z0-9]*(?:(?:\s)(.*))|(.*)
FORMAT = dest_nt_domain::"$1"
[User_ID_as_dest_nt_domain]
SOURCE_KEY = User_ID
REGEX = [\-\sa-zA-Z0-9]*(?:(?:\s)(.*))|(.*)
FORMAT = dest_nt_domain::"$1"
[Security_ID_as_dest_nt_domain]
SOURCE_KEY = Security_ID
REGEX = [\-\sa-zA-Z0-9]*(?:(?:\s)(.*))|(.*)
FORMAT = dest_nt_domain::"$1"
[Supplied_Realm_Name_as_dest_nt_domain]
SOURCE_KEY = Supplied_Realm_Name
REGEX = [\-\sa-zA-Z0-9]*(?:(?:\s)(.*))|(.*)
FORMAT = dest_nt_domain::"$1"
[Target_Account_ID_as_dest_nt_domain]
SOURCE_KEY = Target_Account_ID
REGEX = [\-\sa-zA-Z0-9]*(?:(?:\s)(.*))|(.*)
FORMAT = dest_nt_domain::"$1"
# For some reason there isn't always a "-" in an empty field, and in those cases the value of that field is filled with the name of the next field
# Example: dest_nt_domain = "Failure Information:" (EventCode 4625)
# to prevent that the wel-col-kv regex (splunk/etc/system/default/transforms.conf) needs to be changed
[wel-col-kv]
REGEX = (?=\w)([^:\n\r]+):[ \t]*(?![\n\t])([^\n\t]*)
It's not an answer on your question, but if someone have problems with "-" in fields and you don't want to have cases with config, you can try another solutions:
eval Account_Name=mvindex(Account_Name,0)
or
eval Account_Name=mvfilter(Account_Name!="-")
Hi Domenico,
The above regex mentioned would fail to extract the trailing "-" if encountered in the value. For e.g. if the value is "abc-" it would only extract "abc". Instead, we can try the below regex that would only neglect "-" and accept all other values:
((?!^-$)(.*))
Thanks,
Chandni
I've added a link to this onto another bug about this regular expression. Thanks!