Hi
It's seems index time extractions for audittrail is not supported via the traditional props, transforms.
Is this expected behavior and is there an approach that will allow to index a field from the audit.log?
Thankyou
Hi Rich,
I installed these settings under system/local on both SH and Indexer and also a single instance. btool checks out fine and I've applied the same transformation on the [scheduler] sourcetype and everything works as expected.
Odd Behavior with the audit.log also the default inputs.conf /etc/system/default/inputs.conf
states the following.
[fschange:$SPLUNK_HOME\etc]
disabled = false
#poll every 10 minutes
pollPeriod = 600
#generate audit events into the audit index, instead of fschange events
signedaudit=true
recurse=true
followLinks=false
hashMaxSize=-1
fullEvent=false
sendEventMaxSize=-1
filesPerDelay = 10
delayInMills = 100
I'm under the impression Splunk's security measures lock the ability of transforming the audit log
The audittrail sourcetype is like any other. Its settings can be overridden by another app - subject to precedence.
Please describe the problem you are trying to solve.
At index time I'm have trying to extract and index the field app from the audittrail
Audit:[timestamp=04-27-2023 16:51:22.073, user=test, action=search, info=completed, search_id='1682628653.251613', has_error_warn=false, fully_completed_search=true, total_run_time=0.61, event_count=9, result_count=0, available_count=9, scan_count=9, drop_count=0, exec_time=1682628653, api_et=1682539200.000000000, api_lt=1682628653.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1682539200.000000000, search_lt=1682628653.000000000, is_realtime=0, savedsearch_name="", search_startup_time="88", is_prjob=false, is_flex_search=false, rate_limit_retry_enabled=false, acceleration_id="E06599A7-7307-4983-8459-FD948B9F996B_search_argus_test_6d524bc0f6be8430", app="search", provenance="UI:Search", mode="historical",
From my tests it' doesn't matter what REGEX I used in the transforms.conf, there seems to be a behavior where the [audittrail] is read only
props.conf
[audittrail]
TRANSFORMS-audit_addMetadata = add_app_to_metadata
transforms.conf
[add_app_to_metadata]
SOURCE_KEY = _raw
REGEX = app=\"([^"]+)
FORMAT = mApp::$1
WRITE_META = true
Where did you put the settings (which instance, which file path)? Have you used btool to verify the settings are in effect?