All Apps and Add-ons

Splunk for Exchange.

jgoddard
Path Finder

I have some "invalid key-value parser" warnings coming from the exchange app, I am pretty sure these are left over from the ForeFront bits that were removed. Is this correct?

I see in default/props.conf:
[WinEventLog:Application]
FIELDALIAS-msgid = Message_ID AS message_id
REPORT-applog = extract_transport, extract_incident, extract_virusname, extract_engines

But the only transforms.conf entry is for extract_webapp, which is used in the IIS sections of props.

Am I misunderstanding something, or should I just make a local copy of that props and comment out the report line?

0 Karma

t9445
Path Finder

Hi - by any chance can someone please supply the transform statement for extract_transport -- it is still missing in the current (v6) version as well - I have commented it out for now, however hoping to correct it if possible please

0 Karma

skylasam_splunk
Splunk Employee
Splunk Employee

Ah, I see now. You have a fair point. There are references in props.conf that don’t have stanzas defined in transforms.conf. For now, you can ignore either these errors or alternatively remove the references to extract_incident, extract_virusname, extract_engines from props.conf.
I've also filed a bug to fix this issue in the next version of the exchange app.

0 Karma

skylasam_splunk
Splunk Employee
Splunk Employee

It definitely looks like you're not picking up the correct app contents for some reason. I just downloaded the app from Splunkbase (v2.1.0) and I see the following in the contents of etc\apps\Splunk_for_Exchange\default\transforms.conf.

[exch_audit_user_extraction]
SOURCE_KEY = Accessing_User
REGEX = /cn=Recipients/cn=(?.*)

[AdminAudit_ExtractParam]
REGEX = Param="(?[^"]*)"
MV_ADD = true

[AdminAudit_ExtractError]
REGEX = Error="(?[^"]*)"
MV_ADD = true
[ignore_comments]
REGEX = ^#
DEST_KEY = queue
FORMAT = nullQueue

[extract_webapp]
SOURCE_KEY = cs_uri_stem
REGEX = ^/(?[^/]+)

[mswin_2003_iis_fields]
FIELDS = "date","time","s_sitename","s_ip","cs_method","cs_uri_stem","cs_uri_query","s_port","cs_username","c_ip","cs_user_agent","sc_status","sc_substatus","sc_win32_status"
DELIMS = " "

[mswin_2008r2_iis_fields]
FIELDS = "date","time","s_ip","cs_method","cs_uri_stem","cs_uri_query","s_port","cs_username","c_ip","cs_user_agent","sc_status","sc_substatus","sc_win32_status","time_taken"
DELIMS = " "

[mswin_2012_iis_fields]
FIELDS = "date","time","s_ip","cs_method","cs_uri_stem","cs_uri_query","s_port","cs_username","c_ip","cs_user_agent","cs_referer","sc_status","sc_substatus","sc_win32_status","time_taken"
DELIMS = " "

[useragent]
external_cmd = useragent.py cs_user_agent os osvariant osversion browser browserversion
external_type = python
fields_list = cs_user_agent,os,osvariant,osversion,browser,browserversion

[ad_username]
external_cmd = ad_username.py cs_username user_subject
external_type = python
fields_list = cs_username user_subject

[ExchangeVersion]
filename = exchange-version.csv
max_matches = 1

[hostInformation]
filename = hostInformation.csv
max_matches = 1

[dbInformation]
filename = dbInformation.csv
max_matches = 1
[msexchange2007msgtrack-fields]
FIELDS = "date_time","cs_ip","client_hostname","ss_ip","server_hostname","source_context","connector_id","source_id","event_id","internal_message_id","message_id","recipients","recipient_status","total_bytes","recipient_count","related_recipient_address","reference","message_subject","sender","return_path","message_info"
DELIMS = ,

[msexchange2010msgtrack-fields]
FIELDS = "date_time","cs_ip","client_hostname","ss_ip","server_hostname","source_context","connector_id","source_id","event_id","internal_message_id","message_id","recipients","recipient_status","total_bytes","recipient_count","related_recipient_address","reference","message_subject","sender","return_path","message_info","directionality","tenant_id","original_client_ip","original_server_ip","custom_data"
DELIMS = ,

[msexchange2013msgtrack-fields]
FIELDS = "date_time","cs_ip","client_hostname","ss_ip","server_hostname","source_context","connector_id","source_id","event_id","internal_message_id","message_id","network_message_id","recipients","recipient_status","total_bytes","recipient_count","related_recipient_address","reference","message_subject","sender","return_path","message_info","directionality","tenant_id","original_client_ip","original_server_ip","custom_data"
DELIMS = ,

[msgtrack-recipient]
SOURCE_KEY = recipient
REGEX = (?[^@]+)@(?[^\s]*)

[msgtrack-recipients]
SOURCE_KEY = recipients
REGEX=(?[^;]+);*
MV_ADD = true

[msgtrack-sender]
SOURCE_KEY = sender
REGEX = (?[^@]+)@(?[^\s]*)

[msexch07-trace]
FIELDS = "date_time","connector_id","session_id","sequence_no","local_endpoint","remote_endpoint","event","data","context"
DELIMS = ,

[msexch10-trace]
FIELDS = "date_time","session_id","sequence_no","local_endpoint","remote_endpoint","User","duration","rqsize","rpsize","command","parameters","context"
DELIMS = ,

[pop-legacyid]
SOURCE_KEY = legacyId
REGEX = ./cn=Recipients/cn=(?.)

[pop-context]
SOURCE_KEY = context
REGEX = User (?[^ ]+) Server name (?[^,]+), version (?[^,]+), legacyId (?.*)

[pop-remoteip]
SOURCE_KEY = remote_endpoint
REGEX = (?[^:]+):

0 Karma

jgoddard
Path Finder

exactly. And in default/props.conf you see:
[WinEventLog:Application]
FIELDALIAS-msgid = Message_ID AS message_id
REPORT-applog = extract_transport, extract_incident, extract_virusname, extract_engines

Splunk is complaining with:
05-03-2013 20:29:04.875 +0000 WARN SearchOperator:kv - Invalid key-value parser, ignoring it, transform_name='extract_transport'
05-03-2013 20:29:04.876 +0000 WARN SearchOperator:kv - Invalid key-value parser, ignoring it, transform_name='extract_incident'

Perhaps these are harmless, but they are certainly ugly.

0 Karma

ahall_splunk
Splunk Employee
Splunk Employee

You have a corrupt install of the Splunk App for Exchange. I'd suggest wiping out the default directory and replacing it with one that is fresh downloaded from Splunkbase.

0 Karma

jgoddard
Path Finder

I definitely do not have a corrupted tarball of the Exchange app. I just checked again, and in the freshly downloaded and extracted Splunk_for_Exchange app, I see the same missing extracts.

The only transform defined in the app is the extract_webapp. The extract_transport, extract_incident, extract_virusname, and extract_engines transforms do NOT exist in any of the addons nor the main app.

0 Karma