Why does the Field Extraction stanza in props.conf...

tomasmoser · ‎03-13-2017

Hi,

Neither of field extraction stanzas in props.conf works. Weird, for example alternative stanza for sha1 in Splunk Web works correctly.

This works in Splunk Web:

sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" 
| rex field=Hashes "SHA1=(?[a-fA-F0-9]{40})"

This stanza in props.conf does not work

EXTRACT-sha1 = SHA1=(?[a-fA-F0-9]{40}) in Hashes

Why?

Tomas

panovattack · ‎03-31-2017

Splunk base is still serving up the version 5 code, even though version is labeled 6. May want to update on splunk base.

jpolcari · ‎03-29-2017

In the newest version on github they have fixed this issue: https://github.com/splunk/TA-microsoft-sysmon

tomasmoser · ‎03-14-2017

Hi,

I am trying to fix a problem in default/props.conf file in the latest version of Splunk add-on TA-microsoft-sysmon.

I am not happy that default configuration does not work. However, I found the problem that is weird.

THIS DOES NOT WORK

default/props.conf:
[XmlWinEventLog:Microsoft-Windows-Sysmon/Operational]
... (no empty line)
EXTRACT-sha1 = SHA1=(?[a-fA-F0-9]{40}) in Hashes
...

THIS DOES WORK

local/props.conf:
EXTRACT-sha1 = SHA1=(?[a-fA-F0-9]{40}) in Hashes

If I add (only) the same EXTRACT-sha1 stanza in local/props.conf without with sourcetype definition as it was in default/props.conf it works!

Any idea?

Tomas

DalJeanis · ‎03-13-2017

It's going to look something more like this -

transforms.conf

    [extract_sha1]
        SOURCE_KEY = Hashes
        REGEX = SHA1=(?[a-fA-F0-9]{40})
        FORMAT= SHA1::$1

props.conf

[the Source Type or other distinguishing feature]
    TRANSFORMS = .... other extracts, including whatever makes "Hashes" ... extract_sha1

Why does the Field Extraction stanza in props.conf not work?