Splunk Add-on for Unix and Linux - Request for an ...

lucgnx · ‎07-08-2022

Hello,

I would like to request an improvement in the official unix TA : adding a fields.conf with the following content :

[action]
INDEXED = false
INDEXED_VALUE = false

Indeed for some events, the value filled in the field action doesn't exist in the indexed event, so the search can't find the events. See the following topic

Example :

- command launched : useradd splunky

- event received in Splunk (syslog) : Jul 8 07:21:09 host useradd[4450]: new user: name=splunky, UID=1001, GID=1001, home=/home/splunky, shell=/bin/bash

- applied props.conf : REPORT-account_management_for_syslog = useradd, [...]

- applied transforms.conf :
## Account Management
[useradd]
REGEX = (useradd).*?(?:new (?:user|account))(?:: | (?:added) - )(?:name|account)=([^\,]+),(?:\s)(?:(?:UID|uid)=(\w+),)?(?:\s)(?:(?:GID|gid)=(\w+),)?(?:\s)*(?:home=((?:\/[^\/ ]*)+\/?),)?(?:.*uid=(\d+))?
FORMAT = vendor_action::"added" action::"created" command::$1 object_category::"user" user::$2 change_type::"AAA" object_id::$3 object_path::$5 status::"success" object_attrs::$4 src_user_id::$6

- Splunk query : index=[...] action="created" --> No result.

With the proposed fields.conf, the event is found and displayed in the results

richgalloway · ‎07-08-2022

You can request changes to Splunk products at https://ideas.splunk.com

---
If this reply helps you, Karma would be appreciated.

Splunk Add-on for Unix and Linux - Request for an improvement with fields.conf

configuration

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation