Skip to content

Instantly share code, notes, and snippets.

@jpclipffel

jpclipffel/Splunk - Office365 parsing.md

Created March 11, 2019 08:09
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save jpclipffel/cb27967406fbb3ea648ad4bb5ad32f1c to your computer and use it in GitHub Desktop.
Save jpclipffel/cb27967406fbb3ea648ad4bb5ad32f1c to your computer and use it in GitHub Desktop.
Download ZIP
Splunk - Office365 parsing
Raw
Splunk - Office365 parsing.md

Splunk - Office365 parsing

How to re-parse Office365 logs collected from the application splunk_ta_o365.

Context

The add-on splunk_ta_o365 may sometimes produces multi-lines JSON events (ie. an event with several JSON objects separated by a new line). The following modification change the line breaker configuration.

Edit the line breaker configuration

Edit the file $SPLUNK_HOME/etc/apps/splunk_ta_o365/local/props.conf (create it if it doesn't exists) and add the following lines:

[o365:management:activity]
KV_MODE = json
LINE_BREAKER = }([\r\n\s]+){
TIME_PREFIX = "CreationTime":\s*"
TZ = UTC
TIME_FORMAT = %Y-%m-%dT%H:%M:%S
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment