I have a local administrator cataloging script running on local machines (just mine while testing). The message output in Splunk is:
ObjectClass=Group
Name=DOMAIN\AD-SecurityGroup
Now I want to break the Name field down into domain and object name. The following works properly:
index=windows_test sourcetype="Powershell:LocalAdmins" | rex field=Name "(?[^\\\\]+)\\\\(?[^\"]+)"
I now get in addition to the above:
domain=DOMAIN
object_name=AD-SecurityGroup
This is exactly what I want, but when I add it to a field extraction on the search head via a transform, (the only way I could find to parse the specific field) as an unquoted string, it doesn't work. I've removed the 2 extra backslashes from the domain match as well as between the capture groups in case it was only needed in the search box. Still doesn't work.
In between changes, I've done the debug/refresh as well as restarting the splunkd service on the search head.
In case it helps, here is the input where the script is running:
[powershell://LocalAdmins]
script = Get-LocalGroupMember -Group "Administrators" | Select-Object ObjectClass,Name
schedule = 60
sourcetype = PowerShell:LocalAdmins
source = PowerShell
index = windows_test
disabled = false
On the search head here is the transforms.conf and props.conf:
**transforms.conf**
[PowershellLocalAdmin]
CLEAN_KEYS = 0
REGEX = (?[^\\\\]+)\\\\(?[^\"]+)
SOURCE_KEY = Name
**props.conf**
[Powershell:LocalAdmins]
REPORT-PowershellLocalAdmins = PowershellLocalAdmin
I'm at a loss right now. I need help in determining if there's something wrong with my regex, or the way I'm using it, in the configurations.
Thank you
↧