Knowledge Management
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

TA Linux Auditd for OCSF transforms has bugs

ivarny
Path Finder
‎06-14-2024 03:20 AM

The transforms to set sourcetypes has a bug.
The regex uses a capture group that is not used in the format statment.
When this is the case splunk does not return a match on the regex.
To get this to work it is neccessary to change the regex to a non-capturing group
e.g. for:

[auditdclasses2]
REGEX = type\=(ANOM_|USER_AVC|AVC|CRYPTO_REPLAY_USER|RESP)
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::linux:audit:ocsf:finding



must be change to 

REGEX = type\=(?:ANOM_|USER_AVC|AVC|CRYPTO_REPLAY_USER|RESP)



Then it works.
The same for the other auditdclasses1 - 6.

Labels (3)
Reply
Get Updates on the Splunk Community!

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...