Hey everyone! I'm looking at extracting multi-value fields that contain multiple MAC addresses within a field. I know I can create and manipulated multi-value fields at search time, but I'd like to separate some of this data during ingestion. I've read through the transforms.conf and props.conf manual pages, but the language on transforming data into a multi-value field isn't very clear to me. For instance, I'm having trouble understanding what the "::$1" characters denote when using the "FORMAT" key in my transforms.conf file. I know it has to do with RegEx capture groups, but I'm just having a hard time relating how data is extracted and stored via a conf file, as I'm more used to using RegEx on the command line with grep. Would someone kindly help me with an example of how I would extract MAC addresses as a multi-value field? It would really help me bridge the gap of understanding for me, as it's been hard to find concrete examples of how to do this online. In the CSV file, the "MAC_address" field has the data encapsulated in quotes like this: "ad:00:12:af:21:31, 00:fd:aa:23:d1:a5, {so on}". So I'm thinking my conf files need to look something like this: props.conf #sourcetype [mac_addy] TRANSFORMS-mv_macaddress = mv_macaddress transforms.conf [mv_macaddress] SOURCE_KEY=MAC_Address REGEX=(([0-9A-F]{2}[:-]){5}([0-9A-F]{2})[,]+) FORMAT=mv_macaddress::$1 MV_ADD=true Would someone please confirm that I'm on the right path or point out any problems with my configuration? I also have fields in the CSV file that have multiple iterations of the same string (a URL), and I would like to deduplicate them so that random entries don't take up 2 page lengths of a webpage. Almost all of my Google searches for "Splunk deduplicate" point me to results about the search-time command "dedup" or how to use CRCsalt on my index to prevent duplicate whole entries. Is there any way I can define a string for a field and have Splunk drop or concatenate that field into one line so I don't have dozens (literally dozens of them!) of iterations of "https://icanhas.cheezburger.com/ https://icanhas.cheezburger.com/ https://icanhas.cheezburger.com/ https://icanhas.cheezburger.com/". I appreciate your help. Thank you! ... View more

Hello Splunk friends, I'm trying to use ldapsearch to ingest certain attributes into an index. Currently some attributes, such as employeeID are not being returned. I've tried the following searches: | ldapsearch search="(&(objectClass=user)(!(objectClass=computer)))" attrs="employeeID" or | ldapsearch domain=MYDOMAIN.COM search="(objectclass=user)" basedn="DC=sub,DC=domain,DC=mydomain,DC=com" attrs="name,cn,givenName,displayName,sn,title,employeeID,departmentNumber,dNSHostName,description,objectClass,primaryGroupID,pwdLastSet,whenCreated,whenChanged,lastLogonTimestamp,logonCount,lockoutTime,badPasswordTime,accountExpires" | table name, cn, givenName, displayName, sn, title, employeeID, departmentNumber, dNSHostName, description, objectClass, primaryGroupID, pwdLastSet, whenCreated, whenChanged, lastLogonTimestamp, logonCount, lockoutTime, badPasswordTime, accountExpires I've also tried "domain=default" and excluding the domain. When I run ldapsearch from my own computer or from a server, it returns these attributes just fine. I checked ldap.conf and I also checked the Splunk Supporting Add-on for Active Directory (SA-ldapsearch) config test connection and it all seems to work OK. I read up on the Global Catalog, but I'm not familiar Active Directory. I've done a lot of searches on Google and this website but I can't seem to find any information that's getting me on the right path to a solution. Would any of you please give me some advice? Thank you! Z ... View more