Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Are Index Time Extractions of audittrail sourcetype not supported via props and transforms?

dc595
Explorer
‎04-27-2023 10:29 AM

Hi 

It's seems index time extractions for audittrail is not supported via the traditional props, transforms.  

Is this expected behavior and is there an approach that will allow to index a field from the audit.log?

Thankyou

Labels (2)
Labels
0 Karma
Reply

dc595
Explorer
‎04-28-2023 06:34 AM

Hi Rich,
I installed these settings under system/local on both SH and Indexer and also a single instance. btool checks out fine and I've applied the same transformation on the [scheduler] sourcetype and everything works as expected. 

Odd Behavior with the audit.log also the default inputs.conf  /etc/system/default/inputs.conf
states the following.

[fschange:$SPLUNK_HOME\etc]
disabled = false
#poll every 10 minutes
pollPeriod = 600
#generate audit events into the audit index, instead of fschange events
signedaudit=true
recurse=true
followLinks=false
hashMaxSize=-1
fullEvent=false
sendEventMaxSize=-1
filesPerDelay = 10
delayInMills = 100


I'm under the impression Splunk's security measures lock the ability of transforming the audit log

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-27-2023 01:43 PM

The audittrail sourcetype is like any other.  Its settings can be overridden by another app - subject to precedence.

Please describe the problem you are trying to solve.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

dc595
Explorer
‎04-27-2023 02:20 PM

At index time I'm have trying to extract and index the field app from the audittrail 

Audit:[timestamp=04-27-2023 16:51:22.073, user=test, action=search, info=completed, search_id='1682628653.251613', has_error_warn=false, fully_completed_search=true, total_run_time=0.61, event_count=9, result_count=0, available_count=9, scan_count=9, drop_count=0, exec_time=1682628653, api_et=1682539200.000000000, api_lt=1682628653.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1682539200.000000000, search_lt=1682628653.000000000, is_realtime=0, savedsearch_name="", search_startup_time="88", is_prjob=false, is_flex_search=false, rate_limit_retry_enabled=false, acceleration_id="E06599A7-7307-4983-8459-FD948B9F996B_search_argus_test_6d524bc0f6be8430", app="search", provenance="UI:Search", mode="historical",

From my tests it' doesn't matter what REGEX I used in the  transforms.conf, there seems to be a behavior where the [audittrail] is read only

props.conf

 

[audittrail]
TRANSFORMS-audit_addMetadata = add_app_to_metadata

 

transforms.conf

 

[add_app_to_metadata]
SOURCE_KEY = _raw
REGEX = app=\"([^"]+)
FORMAT = mApp::$1
WRITE_META = true

 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-28-2023 06:17 AM

Where did you put the settings (which instance, which file path)?  Have you used btool to verify the settings are in effect?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...