All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk for Exchange.

jgoddard
Path Finder
‎05-02-2013 05:29 PM

I have some "invalid key-value parser" warnings coming from the exchange app, I am pretty sure these are left over from the ForeFront bits that were removed. Is this correct?

I see in default/props.conf:
[WinEventLog:Application]
FIELDALIAS-msgid = Message_ID AS message_id
REPORT-applog = extract_transport, extract_incident, extract_virusname, extract_engines

But the only transforms.conf entry is for extract_webapp, which is used in the IIS sections of props.

Am I misunderstanding something, or should I just make a local copy of that props and comment out the report line?

0 Karma
Reply

t9445
Path Finder
‎11-15-2013 11:55 AM

Hi - by any chance can someone please supply the transform statement for extract_transport -- it is still missing in the current (v6) version as well - I have commented it out for now, however hoping to correct it if possible please

0 Karma
Reply

skylasam_splunk
Splunk Employee
Splunk Employee
‎05-03-2013 02:07 PM

Ah, I see now. You have a fair point. There are references in props.conf that don’t have stanzas defined in transforms.conf. For now, you can ignore either these errors or alternatively remove the references to extract_incident, extract_virusname, extract_engines from props.conf.
I've also filed a bug to fix this issue in the next version of the exchange app.

0 Karma
Reply

skylasam_splunk
Splunk Employee
Splunk Employee
‎05-03-2013 01:29 PM

It definitely looks like you're not picking up the correct app contents for some reason. I just downloaded the app from Splunkbase (v2.1.0) and I see the following in the contents of etc\apps\Splunk_for_Exchange\default\transforms.conf.

[exch_audit_user_extraction]
SOURCE_KEY = Accessing_User
REGEX = /cn=Recipients/cn=(?.*)

[AdminAudit_ExtractParam]
REGEX = Param="(?[^"]*)"
MV_ADD = true

[AdminAudit_ExtractError]
REGEX = Error="(?[^"]*)"
MV_ADD = true
[ignore_comments]
REGEX = ^#
DEST_KEY = queue
FORMAT = nullQueue

[extract_webapp]
SOURCE_KEY = cs_uri_stem
REGEX = ^/(?[^/]+)

[mswin_2003_iis_fields]
FIELDS = "date","time","s_sitename","s_ip","cs_method","cs_uri_stem","cs_uri_query","s_port","cs_username","c_ip","cs_user_agent","sc_status","sc_substatus","sc_win32_status"
DELIMS = " "

[mswin_2008r2_iis_fields]
FIELDS = "date","time","s_ip","cs_method","cs_uri_stem","cs_uri_query","s_port","cs_username","c_ip","cs_user_agent","sc_status","sc_substatus","sc_win32_status","time_taken"
DELIMS = " "

[mswin_2012_iis_fields]
FIELDS = "date","time","s_ip","cs_method","cs_uri_stem","cs_uri_query","s_port","cs_username","c_ip","cs_user_agent","cs_referer","sc_status","sc_substatus","sc_win32_status","time_taken"
DELIMS = " "

[useragent]
external_cmd = useragent.py cs_user_agent os osvariant osversion browser browserversion
external_type = python
fields_list = cs_user_agent,os,osvariant,osversion,browser,browserversion

[ad_username]
external_cmd = ad_username.py cs_username user_subject
external_type = python
fields_list = cs_username user_subject

[ExchangeVersion]
filename = exchange-version.csv
max_matches = 1

[hostInformation]
filename = hostInformation.csv
max_matches = 1

[dbInformation]
filename = dbInformation.csv
max_matches = 1
[msexchange2007msgtrack-fields]
FIELDS = "date_time","cs_ip","client_hostname","ss_ip","server_hostname","source_context","connector_id","source_id","event_id","internal_message_id","message_id","recipients","recipient_status","total_bytes","recipient_count","related_recipient_address","reference","message_subject","sender","return_path","message_info"
DELIMS = ,

[msexchange2010msgtrack-fields]
FIELDS = "date_time","cs_ip","client_hostname","ss_ip","server_hostname","source_context","connector_id","source_id","event_id","internal_message_id","message_id","recipients","recipient_status","total_bytes","recipient_count","related_recipient_address","reference","message_subject","sender","return_path","message_info","directionality","tenant_id","original_client_ip","original_server_ip","custom_data"
DELIMS = ,

[msexchange2013msgtrack-fields]
FIELDS = "date_time","cs_ip","client_hostname","ss_ip","server_hostname","source_context","connector_id","source_id","event_id","internal_message_id","message_id","network_message_id","recipients","recipient_status","total_bytes","recipient_count","related_recipient_address","reference","message_subject","sender","return_path","message_info","directionality","tenant_id","original_client_ip","original_server_ip","custom_data"
DELIMS = ,

[msgtrack-recipient]
SOURCE_KEY = recipient
REGEX = (?[^@]+)@(?[^\s]*)

[msgtrack-recipients]
SOURCE_KEY = recipients
REGEX=(?[^;]+);*
MV_ADD = true

[msgtrack-sender]
SOURCE_KEY = sender
REGEX = (?[^@]+)@(?[^\s]*)

[msexch07-trace]
FIELDS = "date_time","connector_id","session_id","sequence_no","local_endpoint","remote_endpoint","event","data","context"
DELIMS = ,

[msexch10-trace]
FIELDS = "date_time","session_id","sequence_no","local_endpoint","remote_endpoint","User","duration","rqsize","rpsize","command","parameters","context"
DELIMS = ,

[pop-legacyid]
SOURCE_KEY = legacyId
REGEX = ./cn=Recipients/cn=(?.)

[pop-context]
SOURCE_KEY = context
REGEX = User (?[^ ]+) Server name (?[^,]+), version (?[^,]+), legacyId (?.*)

[pop-remoteip]
SOURCE_KEY = remote_endpoint
REGEX = (?[^:]+):

0 Karma
Reply

jgoddard
Path Finder
‎05-03-2013 01:37 PM

exactly. And in default/props.conf you see:
[WinEventLog:Application]
FIELDALIAS-msgid = Message_ID AS message_id
REPORT-applog = extract_transport, extract_incident, extract_virusname, extract_engines

Splunk is complaining with:
05-03-2013 20:29:04.875 +0000 WARN SearchOperator:kv - Invalid key-value parser, ignoring it, transform_name='extract_transport'
05-03-2013 20:29:04.876 +0000 WARN SearchOperator:kv - Invalid key-value parser, ignoring it, transform_name='extract_incident'

Perhaps these are harmless, but they are certainly ugly.

0 Karma
Reply

ahall_splunk
Splunk Employee
Splunk Employee
‎05-02-2013 05:33 PM

You have a corrupt install of the Splunk App for Exchange. I'd suggest wiping out the default directory and replacing it with one that is fresh downloaded from Splunkbase.

0 Karma
Reply

jgoddard
Path Finder
‎05-03-2013 10:42 AM

I definitely do not have a corrupted tarball of the Exchange app. I just checked again, and in the freshly downloaded and extracted Splunk_for_Exchange app, I see the same missing extracts.

The only transform defined in the app is the extract_webapp. The extract_transport, extract_incident, extract_virusname, and extract_engines transforms do NOT exist in any of the addons nor the main app.

0 Karma
Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...