Hi,
I am looking at the Palo Alto add-on from https://splunkbase.splunk.com/app/2757/ and specifically to logs with sourcetype pan:userid
All the logs get the username unknown, when digging into this I see this in the prop.conf
[pan:userid]
SHOULD_LINEMERGE = false
TIME_PREFIX = ^(?:[^,]*,){6}
MAX_TIMESTAMP_LOOKAHEAD = 32
REPORT-search = extract_userid
FIELDALIAS-virtual_system = vsys as virtual_system
FIELDALIAS-src_for_pan_correlation = src_ip as src
FIELDALIAS-dest_ip_for_pan_correlation = src_ip as dest_ip
FIELDALIAS-client_ip = src_ip as client_ip
FIELDALIAS-dest_for_pan_correlation = src_ip as dest
FIELDALIAS-dvc_for_pan_correlation = host as dvc
EVAL-user = coalesce(src_user,"unknown")
and in the transforms i find :
[pan_userid]
DEST_KEY = MetaData:Sourcetype
REGEX = ^[^,]+,[^,]+,[^,]+,USERID,
FORMAT = sourcetype::pan:userid
[extract_userid]
DELIMS = ","
FIELDS = "future_use1","receive_time","serial_number","type","log_subtype","version","generated_time","vsys","src_ip","source_name","event_id","repeat_count","timeout_threshold","src_port","dest_port","source","source_type","sequence_number","action_flags","devicegroup_level1","devicegroup_level2","devicegroup_level3","devicegroup_level4","vsys_name","dvc_name","vsys_id","factor_type","factor_completion_time","factor_number"
One thing I notice is that there is no src_user in the fields list in the [extract_userid] so I probably miss something here but my conclusion is that the field will never be filled.
So does anyone have an idea how to get user field filled with username?
Just for reference a log, that should fit here, and it does partially.
<14>1 2020-12-07T15:14:29+01:00 Servername-XX - - - - 1,2020/12/07 15:14:29,000101011111,USERID,logout,223,2020/12/07 15:14:29,vsys,10.10.10.11,client\usr.name,client-loc-id,0,1,0,0,0,agent,,1111111111111111114,0x0,0,0,0,0,,Servername-XX,0,,2020/12/07 15:14:29,1,0x0,client\user.name
