Splunk Add-on for Unix and Linux - Request for an ...

lucgnx · ‎07-08-2022

Hello,

I would like to request an improvement in the official unix TA : adding a fields.conf with the following content :

[action]
INDEXED = false
INDEXED_VALUE = false

Indeed for some events, the value filled in the field action doesn't exist in the indexed event, so the search can't find the events. See the following topic

Example :

- command launched : useradd splunky

- event received in Splunk (syslog) : Jul 8 07:21:09 host useradd[4450]: new user: name=splunky, UID=1001, GID=1001, home=/home/splunky, shell=/bin/bash

- applied props.conf : REPORT-account_management_for_syslog = useradd, [...]

- applied transforms.conf :
## Account Management
[useradd]
REGEX = (useradd).*?(?:new (?:user|account))(?:: | (?:added) - )(?:name|account)=([^\,]+),(?:\s)(?:(?:UID|uid)=(\w+),)?(?:\s)(?:(?:GID|gid)=(\w+),)?(?:\s)*(?:home=((?:\/[^\/ ]*)+\/?),)?(?:.*uid=(\d+))?
FORMAT = vendor_action::"added" action::"created" command::$1 object_category::"user" user::$2 change_type::"AAA" object_id::$3 object_path::$5 status::"success" object_attrs::$4 src_user_id::$6

- Splunk query : index=[...] action="created" --> No result.

With the proposed fields.conf, the event is found and displayed in the results

richgalloway · ‎07-08-2022

You can request changes to Splunk products at https://ideas.splunk.com

---
If this reply helps you, Karma would be appreciated.

Splunk Add-on for Unix and Linux - Request for an improvement with fields.conf

configuration

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...