Getting Data In

Possible to set fields in transforms.conf for a field in a JSON formatted event?

jwalzerpitt
Influencer

We are using the Splunk Shibboleth add on app but unfortunately our Shib audit events are formatted as JSON and it's nullifying the audit fields in the transforms.conf file:

[shibboleth:audit-fields]
DELIMS    = "|"
FIELDS    = auditEventTime,requestBinding,requestId,relyingPartyId,messageProfileId,assertingPartyId,responseBinding,responseId,principalName,authNMethod,releasedAttributeId1,releasedAttributeId2,nameIdentifier,assertion1ID,assertion2ID

All of the K/V pairs that should be parsed are in the 'Event' field in the JSON formatted event with the | delimiter.

Is there a way to modify the transforms.conf file so that it looks in the Event field for the values to parse?

0 Karma

woodcock
Esteemed Legend

To turn off automatic JSON interpretation, do this on your search head:

[shibboleth:audit-fields]
KV_MODE = none
AUTO_KV_JSON = false
0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...