All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk TA for Password Manager Pro: I've set the sourcetype in the syslog input, but why are fields not being extracted?

alexlomas
Path Finder
‎06-06-2016 02:20 AM

I've set the sourcetype in the syslog input to be 'passman' - events are being ingested, but fields aren't being extracted. The tag of 'account' is being added though. Have I set the wrong type?

0 Karma
Reply

atellez_splunk
Splunk Employee
Splunk Employee
‎06-06-2016 11:17 AM

The TA uses sourcetype pipelines in order to "match" the event to three different types of logs: pmp_resource, pmp_login, pmp_notification. If the fields are failing to extract the syslog output from your appliance might not match the regular expressions found in the TA. An easy way to test this is to copy some logs into a regex editor (regex101.com) and use the EXTRACT regexes to test that the regexes are valid against your logs.

Example for pmp_resource logs:

EXTRACT-passman=(?P<date>\d+\-\d+\-\d+\s\d+\:\d+\:\d+)\s(?P<facility>\w+\.\w+)\s(?P<program>\w+)\s(?P<otherdate>\w+\s\d+\s\d+\:\d+\:\d+)\s(?P<host>\w+)\s(?P<logged_in_username>\S+)\:(?P<src>\S+)\s(?P<operation_type>\S+)\s(?P<operated_time>\d+\/\d+\/\d+\s\d+\:\d+\:\d+)\s(?P<status_of_operation>\w+)\s(?P<pmp_server_name>\S+)\s(?P<dest>\S+)\:(?P<user>\S+)\:(?P<reason>\S+)
Reply

alexlomas
Path Finder
‎06-07-2016 01:03 AM

Thanks - looks like the extracts in the TA no longer match what PMP is sending then.

0 Karma
Reply

knicholson0
Engager
‎03-02-2018 10:29 AM

Yes. I'm on PMP Version: 9.1.0 / Build Number: 9101 and the date format being sent to Syslog is not in a valid ISO 8601 date, such as "2004-05", but rather "Mar 2" [sic]. So much for this statement from Manage Engine "A RFC-3164 compliant Syslog message will be generated and sent to the configured host and port, using the chosen protocol"

0 Karma
Reply
Get Updates on the Splunk Community!

OpenTelemetry for Legacy Apps? Yes, You Can!

This article is a follow-up to my previous article posted on the OpenTelemetry Blog, "Your Critical Legacy App ...

UCC Framework: Discover Developer Toolkit for Building Technology Add-ons

The Next-Gen Toolkit for Splunk Technology Add-on Development The Universal Configuration Console (UCC) ...

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...