Possible to set fields in transforms.conf for a fi...

jwalzerpitt · ‎05-08-2019

We are using the Splunk Shibboleth add on app but unfortunately our Shib audit events are formatted as JSON and it's nullifying the audit fields in the transforms.conf file:

[shibboleth:audit-fields]
DELIMS    = "|"
FIELDS    = auditEventTime,requestBinding,requestId,relyingPartyId,messageProfileId,assertingPartyId,responseBinding,responseId,principalName,authNMethod,releasedAttributeId1,releasedAttributeId2,nameIdentifier,assertion1ID,assertion2ID

All of the K/V pairs that should be parsed are in the 'Event' field in the JSON formatted event with the | delimiter.

Is there a way to modify the transforms.conf file so that it looks in the Event field for the values to parse?

woodcock · ‎05-11-2019

To turn off automatic JSON interpretation, do this on your search head:

[shibboleth:audit-fields]
KV_MODE = none
AUTO_KV_JSON = false

Possible to set fields in transforms.conf for a field in a JSON formatted event?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Share Your Feedback: On Admin Config Service (ACS)!

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Join the Conversation