I have some "invalid key-value parser" warnings coming from the exchange app, I am pretty sure these are left over from the ForeFront bits that were removed. Is this correct?
I see in default/props.conf:
[WinEventLog:Application]
FIELDALIAS-msgid = Message_ID AS message_id
REPORT-applog = extract_transport, extract_incident, extract_virusname, extract_engines
But the only transforms.conf entry is for extract_webapp, which is used in the IIS sections of props.
Am I misunderstanding something, or should I just make a local copy of that props and comment out the report line?
Hi - by any chance can someone please supply the transform statement for extract_transport -- it is still missing in the current (v6) version as well - I have commented it out for now, however hoping to correct it if possible please
Ah, I see now. You have a fair point. There are references in props.conf that don’t have stanzas defined in transforms.conf. For now, you can ignore either these errors or alternatively remove the references to extract_incident, extract_virusname, extract_engines from props.conf.
I've also filed a bug to fix this issue in the next version of the exchange app.
It definitely looks like you're not picking up the correct app contents for some reason. I just downloaded the app from Splunkbase (v2.1.0) and I see the following in the contents of etc\apps\Splunk_for_Exchange\default\transforms.conf.
[exch_audit_user_extraction]
SOURCE_KEY = Accessing_User
REGEX = /cn=Recipients/cn=(?
[AdminAudit_ExtractParam]
REGEX = Param="(?
MV_ADD = true
[AdminAudit_ExtractError]
REGEX = Error="(?
MV_ADD = true
[ignore_comments]
REGEX = ^#
DEST_KEY = queue
FORMAT = nullQueue
[extract_webapp]
SOURCE_KEY = cs_uri_stem
REGEX = ^/(?
[mswin_2003_iis_fields]
FIELDS = "date","time","s_sitename","s_ip","cs_method","cs_uri_stem","cs_uri_query","s_port","cs_username","c_ip","cs_user_agent","sc_status","sc_substatus","sc_win32_status"
DELIMS = " "
[mswin_2008r2_iis_fields]
FIELDS = "date","time","s_ip","cs_method","cs_uri_stem","cs_uri_query","s_port","cs_username","c_ip","cs_user_agent","sc_status","sc_substatus","sc_win32_status","time_taken"
DELIMS = " "
[mswin_2012_iis_fields]
FIELDS = "date","time","s_ip","cs_method","cs_uri_stem","cs_uri_query","s_port","cs_username","c_ip","cs_user_agent","cs_referer","sc_status","sc_substatus","sc_win32_status","time_taken"
DELIMS = " "
[useragent]
external_cmd = useragent.py cs_user_agent os osvariant osversion browser browserversion
external_type = python
fields_list = cs_user_agent,os,osvariant,osversion,browser,browserversion
[ad_username]
external_cmd = ad_username.py cs_username user_subject
external_type = python
fields_list = cs_username user_subject
[ExchangeVersion]
filename = exchange-version.csv
max_matches = 1
[hostInformation]
filename = hostInformation.csv
max_matches = 1
[dbInformation]
filename = dbInformation.csv
max_matches = 1
[msexchange2007msgtrack-fields]
FIELDS = "date_time","cs_ip","client_hostname","ss_ip","server_hostname","source_context","connector_id","source_id","event_id","internal_message_id","message_id","recipients","recipient_status","total_bytes","recipient_count","related_recipient_address","reference","message_subject","sender","return_path","message_info"
DELIMS = ,
[msexchange2010msgtrack-fields]
FIELDS = "date_time","cs_ip","client_hostname","ss_ip","server_hostname","source_context","connector_id","source_id","event_id","internal_message_id","message_id","recipients","recipient_status","total_bytes","recipient_count","related_recipient_address","reference","message_subject","sender","return_path","message_info","directionality","tenant_id","original_client_ip","original_server_ip","custom_data"
DELIMS = ,
[msexchange2013msgtrack-fields]
FIELDS = "date_time","cs_ip","client_hostname","ss_ip","server_hostname","source_context","connector_id","source_id","event_id","internal_message_id","message_id","network_message_id","recipients","recipient_status","total_bytes","recipient_count","related_recipient_address","reference","message_subject","sender","return_path","message_info","directionality","tenant_id","original_client_ip","original_server_ip","custom_data"
DELIMS = ,
[msgtrack-recipient]
SOURCE_KEY = recipient
REGEX = (?
[msgtrack-recipients]
SOURCE_KEY = recipients
REGEX=(?
MV_ADD = true
[msgtrack-sender]
SOURCE_KEY = sender
REGEX = (?
[msexch07-trace]
FIELDS = "date_time","connector_id","session_id","sequence_no","local_endpoint","remote_endpoint","event","data","context"
DELIMS = ,
[msexch10-trace]
FIELDS = "date_time","session_id","sequence_no","local_endpoint","remote_endpoint","User","duration","rqsize","rpsize","command","parameters","context"
DELIMS = ,
[pop-legacyid]
SOURCE_KEY = legacyId
REGEX = ./cn=Recipients/cn=(?
[pop-context]
SOURCE_KEY = context
REGEX = User (?
[pop-remoteip]
SOURCE_KEY = remote_endpoint
REGEX = (?
exactly. And in default/props.conf you see:
[WinEventLog:Application]
FIELDALIAS-msgid = Message_ID AS message_id
REPORT-applog = extract_transport, extract_incident, extract_virusname, extract_engines
Splunk is complaining with:
05-03-2013 20:29:04.875 +0000 WARN SearchOperator:kv - Invalid key-value parser, ignoring it, transform_name='extract_transport'
05-03-2013 20:29:04.876 +0000 WARN SearchOperator:kv - Invalid key-value parser, ignoring it, transform_name='extract_incident'
Perhaps these are harmless, but they are certainly ugly.
You have a corrupt install of the Splunk App for Exchange. I'd suggest wiping out the default directory and replacing it with one that is fresh downloaded from Splunkbase.
I definitely do not have a corrupted tarball of the Exchange app. I just checked again, and in the freshly downloaded and extracted Splunk_for_Exchange app, I see the same missing extracts.
The only transform defined in the app is the extract_webapp. The extract_transport, extract_incident, extract_virusname, and extract_engines transforms do NOT exist in any of the addons nor the main app.