Solved: How can we extract an ldap (Oracle) directory audi...

ddrillic · ‎07-27-2018

We have in the ldap (Oracle) directory audit file, the following layout -

time: 20180724072339
dn: uid=<uid>,ou=people,dc=<dc>,dc=com
changetype: modify
replace: passwordRetryCount
passwordRetryCount: 2
-
add: pwdFailureTime
pwdFailureTime: 20180724122331.986Z
-
<blank line>

How can we extract the event from the time: part until the blank line?

somesoni2 · ‎07-30-2018

Let's give this a try first (props.conf on your indexer/heavy forwarder)

[YourSourcetype]
LINE_BREAKER =([\r\n]+))(?=time\:\s*\d+)
SHOULD_LINEMERGE = false
TIME_PREFIX = ^time\:\s*
TIME_FORMAT = %Y%m%d%H%M%S
MAX_TIMESTAMP_LOOKAHEAD = 14

View solution in original post

somesoni2 · ‎07-30-2018

Let's give this a try first (props.conf on your indexer/heavy forwarder)

[YourSourcetype]
LINE_BREAKER =([\r\n]+))(?=time\:\s*\d+)
SHOULD_LINEMERGE = false
TIME_PREFIX = ^time\:\s*
TIME_FORMAT = %Y%m%d%H%M%S
MAX_TIMESTAMP_LOOKAHEAD = 14

ddrillic · ‎07-30-2018

Gorgeous @somesoni2 as usual. Please convert to an answer ; -)

somesoni2 · ‎07-27-2018

So you want to consider event boundary from time:... till next blank line (or next time:...)?

ddrillic · ‎07-27-2018

I guess until next blank line would be great...

ddrillic · ‎07-30-2018

@somesoni2 - any thoughts about this one?

How can we extract an ldap (Oracle) directory audit file event?

What’s New in Splunk Cloud Platform 9.1.2308?

Index This | Why do they call it hyper text?

State of Splunk Careers 2023: Career Resilience and the Continued Value of Splunk