After install the splunk apps for microsoft exchange without any special customerization, Splunk have the following login username translation behavior.
google\peter@google >>> peter@google
google/peter@google >>> peter@google
google\peter >>> peter@google
google/peter >>> peter@google
mary@yahoo >>> mary@yahoo
daniel >>> daniel@UNKNOWN
From the above example, if the login username don't have domain, it will default to UNKNOWN.
This behavior can be changed by using domain_aliases.csv (under splunk_app_microsoft/exchange/local directory)
# cat domain_aliases.csv
UNKNOWN,LF-main.com
google,google-private-cloud.com
Once we add the above domain_aliases.csv, the login username translation become:
google/peter@google >>>
[email protected]
daniel >>>
[email protected]
Now, we know how to change from one domain to another domain.
Splunk is also capable to append different domain to username provided that you know beforehand.
For example, if I want to make the following username login translation.
dragon >>>
[email protected]
jellyfish >>>
[email protected]
lion >>>
[email protected]
You can do this by using the active_directory.csv file. Here is the setting.
# cat active_directory.csv
china.com,dragon,dragon
hongkong.com,jellyfish,jellyfish
forest.com,animal,lion
Finally, this is the search that you can use to quickly test and see the result.
index=_internal|head 1|eval cs_username = "lion"|lookup ad_username cs_username|table cs_username, user_subject
... View more