Hi,
Neither of field extraction stanzas in props.conf works. Weird, for example alternative stanza for sha1 in Splunk Web works correctly.
This works in Splunk Web:
sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
| rex field=Hashes "SHA1=(?[a-fA-F0-9]{40})"
This stanza in props.conf does not work
EXTRACT-sha1 = SHA1=(?[a-fA-F0-9]{40}) in Hashes
Why?
Tomas
Splunk base is still serving up the version 5 code, even though version is labeled 6. May want to update on splunk base.
In the newest version on github they have fixed this issue: https://github.com/splunk/TA-microsoft-sysmon
Hi,
I am trying to fix a problem in default/props.conf file in the latest version of Splunk add-on TA-microsoft-sysmon.
I am not happy that default configuration does not work. However, I found the problem that is weird.
THIS DOES NOT WORK
default/props.conf:
[XmlWinEventLog:Microsoft-Windows-Sysmon/Operational]
... (no empty line)
EXTRACT-sha1 = SHA1=(?[a-fA-F0-9]{40}) in Hashes
...
THIS DOES WORK
local/props.conf:
EXTRACT-sha1 = SHA1=(?[a-fA-F0-9]{40}) in Hashes
If I add (only) the same EXTRACT-sha1 stanza in local/props.conf without with sourcetype definition as it was in default/props.conf it works!
Any idea?
Tomas
It's going to look something more like this -
transforms.conf
[extract_sha1]
SOURCE_KEY = Hashes
REGEX = SHA1=(?[a-fA-F0-9]{40})
FORMAT= SHA1::$1
props.conf
[the Source Type or other distinguishing feature]
TRANSFORMS = .... other extracts, including whatever makes "Hashes" ... extract_sha1