Re: Splunk Add-on for Microsoft Windows: Has anyon...

domenico_perre · ‎07-27-2015

Just wondering if anybody has the issue whereby when you look at your event data such as the following fields

Account_Name
Account_Domain
etc..

If it finds the - as a valid account_name or account_domain. I have a huge amount of domains showing up as -.

When I looked at the regex in the TA, it has the following.

[New_Domain_as_dest_nt_domain]
SOURCE_KEY = New_Domain
REGEX = (.+)
FORMAT = dest_nt_domain::"$1"

So if the line matches anything even a - it shows up.

So now my domain name looks like this (including new line)

dest_nt_domain = "-
DOMAIN"

Wouldn't a better regex be something like this?
.+[^$-]

It seems that it must be a bug. Anyone else experience this?

aholzel · ‎08-14-2018

This is just one of the problems I had with the Splunk_TA_windows... so I desided to make my own windows app... all of the *as_dest_nt_domain regexes are incorrect, also the "wel-col-kv" regex is incorrect. This is what I have now in my transforms.conf:

# The default regex for the below 10 *_as_dest_nt_domain stanza is not correct for EventCodes that have more than one Account_Domain field. 
# The Target Domain is always the second field, the default regex takes in case of two fields everything and not just the last one.
[Target_Domain_as_dest_nt_domain]
SOURCE_KEY = Target_Domain
REGEX = [\-\sa-zA-Z0-9]*(?:(?:\s)(.*))|(.*)
FORMAT = dest_nt_domain::"$1"

[Primary_Domain_as_dest_nt_domain]
SOURCE_KEY = Primary_Domain
REGEX = [\-\sa-zA-Z0-9]*(?:(?:\s)(.*))|(.*)
FORMAT = dest_nt_domain::"$1"

[Group_Domain_as_dest_nt_domain]
SOURCE_KEY = Group_Domain
REGEX = [\-\sa-zA-Z0-9]*(?:(?:\s)(.*))|(.*)
FORMAT = dest_nt_domain::"$1"

[Account_Domain_as_dest_nt_domain]
SOURCE_KEY = Account_Domain
REGEX = [\-\sa-zA-Z0-9]*(?:(?:\s)(.*))|(.*)
FORMAT = dest_nt_domain::"$1"

[New_Domain_as_dest_nt_domain]
SOURCE_KEY = New_Domain
REGEX = [\-\sa-zA-Z0-9]*(?:(?:\s)(.*))|(.*)
FORMAT = dest_nt_domain::"$1"

[Domain_as_dest_nt_domain]
SOURCE_KEY = Domain
REGEX = [\-\sa-zA-Z0-9]*(?:(?:\s)(.*))|(.*)
FORMAT = dest_nt_domain::"$1"

[User_ID_as_dest_nt_domain]
SOURCE_KEY = User_ID
REGEX = [\-\sa-zA-Z0-9]*(?:(?:\s)(.*))|(.*)
FORMAT = dest_nt_domain::"$1"

[Security_ID_as_dest_nt_domain]
SOURCE_KEY = Security_ID
REGEX = [\-\sa-zA-Z0-9]*(?:(?:\s)(.*))|(.*)
FORMAT = dest_nt_domain::"$1"

[Supplied_Realm_Name_as_dest_nt_domain]
SOURCE_KEY = Supplied_Realm_Name
REGEX = [\-\sa-zA-Z0-9]*(?:(?:\s)(.*))|(.*)
FORMAT = dest_nt_domain::"$1"

[Target_Account_ID_as_dest_nt_domain]
SOURCE_KEY = Target_Account_ID
REGEX = [\-\sa-zA-Z0-9]*(?:(?:\s)(.*))|(.*)
FORMAT = dest_nt_domain::"$1"

# For some reason there isn't always a "-" in an empty field, and in those cases the value of that field is filled with the name of the next field
# Example: dest_nt_domain = "Failure Information:" (EventCode 4625)
# to prevent that the wel-col-kv regex (splunk/etc/system/default/transforms.conf)  needs to be changed
[wel-col-kv]
REGEX = (?=\w)([^:\n\r]+):[ \t]*(?![\n\t])([^\n\t]*)

test_qweqwe · ‎03-28-2018

It's not an answer on your question, but if someone have problems with "-" in fields and you don't want to have cases with config, you can try another solutions:
eval Account_Name=mvindex(Account_Name,0)
or
eval Account_Name=mvfilter(Account_Name!="-")

Chandni_Bhatia · ‎01-02-2018

Hi Domenico,

The above regex mentioned would fail to extract the trailing "-" if encountered in the value. For e.g. if the value is "abc-" it would only extract "abc". Instead, we can try the below regex that would only neglect "-" and accept all other values:
((?!^-$)(.*))

Thanks,
Chandni

jcoates_splunk · ‎10-17-2015

I've added a link to this onto another bug about this regular expression. Thanks!

Splunk Add-on for Microsoft Windows: Has anyone else had an issue with the regex for domain account names matching the "-" symbol?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!