I've recently installed Splunk_TA_nix and started using the "ps" script. The data is ingested into my ES. However it is not translated into CIM Endpoint.Processes object, because it lacks "report" tag.  I know I can add it by crafting my own tags.conf file. However, most of the default configurations in Splunk are configured as they are for some reason. So, what it the reason not to have "report" tag for Linux scripted sourcetypes? Below an example of tags.conf part for ps eventtype stanza: [eventtype=ps] performance = enabled cpu = enabled success = enabled ps = enabled oshost = enabled process = enabled ... View more

I'd like to report an incomplete transform of RegistryValueData in Splunk_TA_microsoft_sysmon v1.0.1 Now it looks like: [sysmon-registryvaluedata] REGEX = <Data Name='Details'>\w+\s\((.+)\)</Data> FORMAT = RegistryValueData::$1 So it works fine when Details contains: DWORD (0x00000001) But when it is a string value, it doesn't make sense.  What about this transform? [sysmon-registryvaluedata] REGEX = <Data Name='Details'>(?:([^(^)]*)|\w+\s\((.+)\))</Data> FORMAT = RegistryValueData::$1 ... View more