My Event:
Directory: /var/tmp/.X11-unix
Mtime : 2015-01-06 06:26:36 +0000 | 2016-01-04 15:31:39 +0000
Ctime : 2015-01-06 06:26:36 +0000 | 2016-01-04 15:31:39 +0000
Inode : 12 | 393217
Props.conf (the relevant stuff):
source::.../aide.log]
sourcetype = aide
#Configuration for the new sourcetype
[aide]
pulldown_type = TRUE
SHOULD_LINEMERGE = TRUE
MAX_EVENTS = 1000
KV_MODE = none
DATETIME_CONFIG = NONE
MAX_TIMESTAMP_LOOKAHEAD = 0
REPORT-extract_changes = extract_changes
Transforms:
#Extract each field pair from detailed message:
[extract_changes]
REGEX = ^\s\s(\w+)\s*:\s([^|]+)\|\s([^\n]+)\n*
FORMAT = value::$1 old_value::$2 new_value::$3
MV_ADD=true
These give me twice the results I would expect, can't figure out why:
![alt text][1]
[1]: /storage/temp/81184-splunk-answers.png
↧