×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Chandni_Bhatia
Engager
Member since: ‎10-30-2017
‎06-05-2020
Community Statistics
Posts 1
Solutions 0
Karma Given 1
Karma Received 0
Member Since ‎10-30-2017
Topics I've Started
No posts to display.
View All

Re: Splunk Add-on for Microsoft Windows: Has anyon...

by in All Apps and Add-ons
‎08-14-2018 11:18 PM
‎08-14-2018 11:18 PM
This is just one of the problems I had with the Splunk_TA_windows... so I desided to make my own windows app... all of the *as_dest_nt_domain regexes are incorrect, also the "wel-col-kv" regex is incorrect. This is what I have now in my transforms.conf: # The default regex for the below 10 *_as_dest_nt_domain stanza is not correct for EventCodes that have more than one Account_Domain field. # The Target Domain is always the second field, the default regex takes in case of two fields everything and not just the last one. [Target_Domain_as_dest_nt_domain] SOURCE_KEY = Target_Domain REGEX = [\-\sa-zA-Z0-9]*(?:(?:\s)(.*))|(.*) FORMAT = dest_nt_domain::"$1" [Primary_Domain_as_dest_nt_domain] SOURCE_KEY = Primary_Domain REGEX = [\-\sa-zA-Z0-9]*(?:(?:\s)(.*))|(.*) FORMAT = dest_nt_domain::"$1" [Group_Domain_as_dest_nt_domain] SOURCE_KEY = Group_Domain REGEX = [\-\sa-zA-Z0-9]*(?:(?:\s)(.*))|(.*) FORMAT = dest_nt_domain::"$1" [Account_Domain_as_dest_nt_domain] SOURCE_KEY = Account_Domain REGEX = [\-\sa-zA-Z0-9]*(?:(?:\s)(.*))|(.*) FORMAT = dest_nt_domain::"$1" [New_Domain_as_dest_nt_domain] SOURCE_KEY = New_Domain REGEX = [\-\sa-zA-Z0-9]*(?:(?:\s)(.*))|(.*) FORMAT = dest_nt_domain::"$1" [Domain_as_dest_nt_domain] SOURCE_KEY = Domain REGEX = [\-\sa-zA-Z0-9]*(?:(?:\s)(.*))|(.*) FORMAT = dest_nt_domain::"$1" [User_ID_as_dest_nt_domain] SOURCE_KEY = User_ID REGEX = [\-\sa-zA-Z0-9]*(?:(?:\s)(.*))|(.*) FORMAT = dest_nt_domain::"$1" [Security_ID_as_dest_nt_domain] SOURCE_KEY = Security_ID REGEX = [\-\sa-zA-Z0-9]*(?:(?:\s)(.*))|(.*) FORMAT = dest_nt_domain::"$1" [Supplied_Realm_Name_as_dest_nt_domain] SOURCE_KEY = Supplied_Realm_Name REGEX = [\-\sa-zA-Z0-9]*(?:(?:\s)(.*))|(.*) FORMAT = dest_nt_domain::"$1" [Target_Account_ID_as_dest_nt_domain] SOURCE_KEY = Target_Account_ID REGEX = [\-\sa-zA-Z0-9]*(?:(?:\s)(.*))|(.*) FORMAT = dest_nt_domain::"$1" # For some reason there isn't always a "-" in an empty field, and in those cases the value of that field is filled with the name of the next field # Example: dest_nt_domain = "Failure Information:" (EventCode 4625) # to prevent that the wel-col-kv regex (splunk/etc/system/default/transforms.conf) needs to be changed [wel-col-kv] REGEX = (?=\w)([^:\n\r]+):[ \t]*(?![\n\t])([^\n\t]*) ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:03 AM
Karma given to
View All