Typo in wildcard sourcetype renaming stanza name #16
Comments
|
I've copied and pasted this many times from the doco so it definitely works. Could you please try and let me know? |
|
Yeah, I did try it and it fixed my index time issue.. Timestamps weren't being parsed properly, I believe because splunk wasn't matching the wildcarded stanza. Based on a sample event, splunk was trying to use the 00:00 syntax in a "dev" field as a timestamp. So I'm sure some of the events got the right times, but not all of them. (I don't remember testing the search time behavior before I applied the change) I had to dig a bit to confirm this syntax. It's not documented officially, as you know. And the one splunk answer from 2010 is a bit confusing and does show the syntax you are using (not in the answer, but in a comment). Here are the things that convinced me on the correct syntax:
For whatever its worth, I understand splunk well, and regexes well, and even how Splunk translates the standzas patterns into PCRE regexes... but understanding how this trick actually works has always been elusive. A zero occurrence match? Why should it matter if its a capture or non-capture group? I'm guessing that if we had access to the right source code it would all make sense. |
|
Like you say, it's an undocumented feature so how it works I don't actually know. I literally copied it out of another app (I think it was Splunk_TA_windows) and modified for the auditd sourcetypes. Just confirming, the format provided in the documentation here is working for you? |
The Installation-and-Configuration wiki page appears to have a typo regarding the wildcard sourcetype matching.
https://github.com/doksu/splunk_auditd/wiki/Installation-and-Configuration
This:
[(::){0}linux*audit]Should be
[(?::){0}linux*audit]You were missing the
?The text was updated successfully, but these errors were encountered: