Splunk Enterprise

report extractions not working ok.

imsidrai
Explorer

i am trying to parse MS-Exchange http_proxy logs with below setup in props & transforms but this doesnt seem to be working

imsidrai_0-1632476657703.png

inputs.conf UF-
[monitor://D:\Program Files\Microsoft\Exchange Server\V15\Logging\HttpProxy\*\*.LOG]
disabled=0
recusrive=true
index= exchange_index
sourcetype= exchange_httpproxy
ignoreOlderThan = 0d


Props and transforms on SH

[exchange_httpproxy]
REPORT-extractfields = extractfields
[extractfields]
DELIMS=","
FIELDS=DateTime,RequestId,MajorVersion,MinorVersion,BuildVersion,RevisionVersion,ClientRequestId,Protocol,UrlHost,UrlStem,ProtocolAction,AuthenticationType,IsAuthenticated,AuthenticatedUser,Organization,AnchorMailbox,UserAgent,ClientIpAddress,ServerHostName,HttpStatus,BackEndStatus,ErrorCode,Method,ProxyAction,TargetServer,TargetServerVersion,RoutingType,RoutingHint,BackEndCookie,ServerLocatorHost,ServerLocatorLatency,RequestBytes,ResponseBytes,TargetOutstandingRequests,AuthModulePerfContext,HttpPipelineLatency,CalculateTargetBackEndLatency,GlsLatencyBreakup,TotalGlsLatency,AccountForestLatencyBreakup,TotalAccountForestLatency,ResourceForestLatencyBreakup,TotalResourceForestLatency,ADLatency,SharedCacheLatencyBreakup,TotalSharedCacheLatency,ActivityContextLifeTime,ModuleToHandlerSwitchingLatency,ClientReqStreamLatency,BackendReqInitLatency,BackendReqStreamLatency,BackendProcessingLatency,BackendRespInitLatency,BackendRespStreamLatency,ClientRespStreamLatency,KerberosAuthHeaderLatency,HandlerCompletionLatency,RequestHandlerLatency,HandlerToModuleSwitchingLatency,ProxyTime,CoreLatency,RoutingLatency,HttpProxyOverhead,TotalRequestTime,RouteRefresherLatency,UrlQuery,BackEndGenericInfo,GenericInfo,GenericErrors,EdgeTraceId,DatabaseGuid,UserADObjectGuid,PartitionEndpointLookupLatency,RoutingStatus

 

Labels (1)
0 Karma

weili6
Engager

In props.conf,  Do you have the following lines:

   SHOULD_LINEMERGE = False

   pulldown_type = 1

 

Also do a soft restart:  in search window:

| extract reload=T 

0 Karma

imsidrai
Explorer

the props and transforms are in my SHC and i was following below link

https://www.splunk.com/en_us/blog/security/detecting-microsoft-exchange-vulnerabilities-0-8-days-lat...

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Please share some sample logs and also elaborate on "doesn't seem to be working".

---
If this reply helps you, Karma would be appreciated.
0 Karma

imsidrai
Explorer

2021-09-20T19:00:06.275Z,XXXXXXXXXXXXXXXXXXXXXXX,15,1,2308,14,,Eas,localhost,/Microsoft-Server-ActiveSync/default.eas,,Basic,false,,,,AMProbe/Local/ClientAccess,XXX.X.X.X,XXXX-XXX-XXX,401,,,GET,,,,,,,,,0,,,,,,,,,,,,,,,5,,,,,,,,,,,,,,5,,5,5,,,,BeginRequest=2021-09-20T19:00:06.270Z;CorrelationID=<empty>;SharedCacheGuard=0;EndRequest=2021-09-20T19:00:06.275Z;,,,,,,

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...