All Apps and Add-ons

Splunk Add-on for Unix and Linux - Request for an improvement with fields.conf

New Member


I would like to request an improvement in the official unix TA : adding a fields.conf with the following content :

INDEXED = false

Indeed for some events, the value filled in the field action doesn't exist in the indexed event, so the search can't find the events. See the following topic 

Example :

- command launched : useradd splunky

- event received in Splunk (syslog) : Jul  8 07:21:09 host useradd[4450]: new user: name=splunky, UID=1001, GID=1001, home=/home/splunky, shell=/bin/bash

- applied props.conf : REPORT-account_management_for_syslog = useradd, [...]

- applied transforms.conf : 
## Account Management
REGEX = (useradd).*?(?:new (?:user|account))(?:: | (?:added) - )(?:name|account)=([^\,]+),(?:\s)(?:(?:UID|uid)=(\w+),)?(?:\s)(?:(?:GID|gid)=(\w+),)?(?:\s)*(?:home=((?:\/[^\/ ]*)+\/?),)?(?:.*uid=(\d+))?
FORMAT = vendor_action::"added" action::"created" command::$1 object_category::"user" user::$2 change_type::"AAA" object_id::$3 object_path::$5 status::"success" object_attrs::$4 src_user_id::$6

- Splunk query : index=[...] action="created"  --> No result.

With the proposed fields.conf, the event is found and displayed in the results

Labels (1)
Tags (2)
0 Karma


You can request changes to Splunk products at

If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Security Highlights: September 2022 Newsletter

 September 2022 The Splunk App for Fraud Analytics (SFA) is now Splunk SupportedUse your existing Splunk ...

Platform Highlights | September 2022 Newsletter

 September 2022 What’s New in 9.0 and How to UpgradeGet a walk through of what is new Splunk Enterprise 9.0 ...

Observability Highlights | September 2022 Newsletter

 September 2022 Splunk Observability SuiteAccess to "Classic" SignalFx Interface Will be Removed on Sept 30, ...