jpclipffel/Splunk - Office365 parsing.md

Created March 11, 2019 08:09

Star () You must be signed in to star a gist
Fork () You must be signed in to fork a gist

Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/jpclipffel/cb27967406fbb3ea648ad4bb5ad32f1c.js"></script>
Save jpclipffel/cb27967406fbb3ea648ad4bb5ad32f1c to your computer and use it in GitHub Desktop.

Download ZIP

Splunk - Office365 parsing

Raw

Splunk - Office365 parsing.md

Splunk - Office365 parsing

How to re-parse Office365 logs collected from the application splunk_ta_o365.

Context

The add-on splunk_ta_o365 may sometimes produces multi-lines JSON events (ie. an event with several JSON objects separated by a new line). The following modification change the line breaker configuration.

Edit the line breaker configuration

Edit the file $SPLUNK_HOME/etc/apps/splunk_ta_o365/local/props.conf (create it if it doesn't exists) and add the following lines:

[o365:management:activity]
KV_MODE = json
LINE_BREAKER = }([\r\n\s]+){
TIME_PREFIX = "CreationTime":\s*"
TZ = UTC
TIME_FORMAT = %Y-%m-%dT%H:%M:%S

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment