I am configuring LDAP authentication against Windows AD, where the users are in groups with names containing a hash character and an arbitrary string: CN=\#CS foo,OU=division,DC=fabrikam,DC=com CN=\#CS bar,... CN=\#CS baz,... CN=\#CS qux,... I have a working Static Group Search filter that uses asterisk wildcards to capture the hash sign, and which requires the full name of the CN. Those upstream names occasionally change, and break authentication. It's also a hassle to maintain the long list of OR clauses, for example (|(*CS foo)(*CS bar)(*CS baz)(*CS qux)) is ugly but it works. I would like to capture #CS * "Hash-Charlie-Sierra-space-Asterisk", but using common backslash or RFC4515 style escape chars, I am getting errors : (CN=\#CS *) (CN=\#CS foo) and (CN=\23CS foo) returns "Encountered the following error while trying to update: Failed to retrieve a group with these settings." Any help on crafting a suitable query filter would be warmly appreciated. Splunk Enterprise 7.0.1 on Linux, Windows AD version unknown, presumed old-ish. ... View more

We are collecting sourcetype=hardware via the Splunk_TA_nix app (v5.2.3), but the data returned isn't being extracted. The ./bin/hardware.sh script is clearly written to produce tabular data, but I seem to be missing a transform that extracts it properly. Does that transform ship in a different app? Am I doing something wrong? A search-time extraction via multikv isn't useful, as the $1::$2 field naming doesn't happen. In search, each event looks like this: KEY VALUE CPU_TYPE Intel(R) Xeon(R) CPU X5690 @ 3.47GHz CPU_CACHE 12288 KB CPU_COUNT 4 HARD_DRIVES sda (Virtual disk) 200 GB; NIC_TYPE <notAvailable> NIC_COUNT 1 MEMORY_REAL 16334412 kB MEMORY_SWAP 16777208 kB What I want is MEMORY_REAL="16334412 kB" etc. Splunk Enterprise 7.0.2, Splunk_ta_nix 5.2.3, mix of CentOS 6.7 & Amazon Linux ... View more

I am tasked with consuming a number of XML config files, which contain many key value pairs, but where the semantically useful KV pairs are obscured by literal KV pairs that are not useful. For example: <?xml version="1.0" encoding="UTF-8"?> <configuration> <appSettings> <add key="John" value="Guitar"/> <add key="Paul" value="Bass"/> <add key="George" value="Guitar"/> <add key="Ringo" value="Drums"/> </appSettings> </configuration> I would like to extract the data as: John=Guitar, Paul=Bass, George=Guitar, Ringo=Drums ... There are dozens of these keys. I am attempting index-time extraction because I read that search-time extraction can not concatenate event segments into a field name If there were a search-time method, that would be preferred, of course. Props.conf [fab] BREAK_ONLY_BEFORE = NEVER_BREAK DATETIME_CONFIG = CURRENT NO_BINARY_CHECK = true category = Custom description = Example XML disabled = false TRANSFORMS-xml1 = xml1 KV_MODE = none Transforms.conf [xml1] REGEX = [\s+]<add\skey=\"(\w+)\"\svalue=\"(.*)\"\s\/> FORMAT = $1::$2 WRITE_META = true REPEAT_MATCH = true LOOKAHEAD = 4096 Regex101.com validates the regex does capture the groups I want, but I'm not seeing any extracted fields in Spunk Web. What am I missing? I am working in Splunk Enterprise 6.5.1. TIA! ... View more

My raw data includes a field "source=SoftwareSubsystemFoo" , a name which overlaps the default 'source' field. In the past, I had the same issue and I dimly recall that the overlapping field was renamed something like '_extracted_source' . As an underscored fieldname it was hidden from the UI unless requested directly with the | fields search command. I can't find the details in my notes, and my search-fu is failing. Does this remapped field name exist? What is it? An alternate solution would be to create a transform, but I have a large and variable number of sourcetypes which might have namespace collisions, and I'd prefer an automatic solution, particularly if it were already happening in the background. Reference: http://answers.splunk.com/answers/26243/source-as-fieldname.html ... View more

We have a Deployment server within our Splunk estate. For a variety of political & operational reasons, we have decided to do endpoint configuration management using different tools. How do I decommission a Deployment Server without removing the Apps it has deployed? I do not want to disturb the existing configuration state for client endpoints. Am I looking at removing deploymentclient.conf from each endpoint individually? It seems that any other approach - Removing server classes, removing apps, etc. will result in client endpoints deleting their local copy of the app. One approach I was considering - Would it work if I point the DNS record for my existing DS to a new Deployment Server instance, one that is minimally configured. Does that result in the endpoint removing the apps managed by the prior DS? Thanks for any thoughts or guidance. ... View more