All Apps and Add-ons
Highlighted

Why does the Field Extraction stanza in props.conf not work?

Communicator

Hi,

Neither of field extraction stanzas in props.conf works. Weird, for example alternative stanza for sha1 in Splunk Web works correctly.

This works in Splunk Web:

sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" 
| rex field=Hashes "SHA1=(?[a-fA-F0-9]{40})"

This stanza in props.conf does not work

EXTRACT-sha1 = SHA1=(?[a-fA-F0-9]{40}) in Hashes

Why?

Tomas

0 Karma
Highlighted

Re: Why does the Field Extraction stanza in props.conf not work?

SplunkTrust
SplunkTrust

It's going to look something more like this -

transforms.conf

    [extract_sha1]
        SOURCE_KEY = Hashes
        REGEX = SHA1=(?[a-fA-F0-9]{40})
        FORMAT= SHA1::$1

props.conf

[the Source Type or other distinguishing feature]
    TRANSFORMS = .... other extracts, including whatever makes "Hashes" ... extract_sha1
0 Karma
Highlighted

Re: Why does the Field Extraction stanza in props.conf not work?

Communicator

Hi,

I am trying to fix a problem in default/props.conf file in the latest version of Splunk add-on TA-microsoft-sysmon.

I am not happy that default configuration does not work. However, I found the problem that is weird.

THIS DOES NOT WORK

default/props.conf:
[XmlWinEventLog:Microsoft-Windows-Sysmon/Operational]
... (no empty line)
EXTRACT-sha1 = SHA1=(?[a-fA-F0-9]{40}) in Hashes
...

THIS DOES WORK

local/props.conf:
EXTRACT-sha1 = SHA1=(?[a-fA-F0-9]{40}) in Hashes

If I add (only) the same EXTRACT-sha1 stanza in local/props.conf without with sourcetype definition as it was in default/props.conf it works!

Any idea?

Tomas

0 Karma
Highlighted

Re: Why does the Field Extraction stanza in props.conf not work?

Communicator

In the newest version on github they have fixed this issue: https://github.com/splunk/TA-microsoft-sysmon

0 Karma
Highlighted

Re: Why does the Field Extraction stanza in props.conf not work?

Communicator

Splunk base is still serving up the version 5 code, even though version is labeled 6. May want to update on splunk base.

0 Karma