SplunkDire [ldap:open:audit]
system     ANNOTATE_PUNCT = True
SplunkDire BREAK_ONLY_BEFORE = ^#\s+\w+\s+\d+\s+.*$
SplunkDire BREAK_ONLY_BEFORE_DATE = False
system     CHARSET = UTF-8
system     DATETIME_CONFIG = /etc/datetime.xml
system     HEADER_MODE =
system     LEARN_SOURCETYPE = true
system     LINE_BREAKER_LOOKBEHIND = 100
SA-Identit LOOKUP-asset_lookup_dest_only = asset_lookup_dest_only dest OUTPUT dest_owner,dest_priority,dest_lat,dest_long,dest_city,dest_country,dest_bunit,dest_category,dest_pci_domain,dest_is_expected,dest_should_timesync,dest_should_update
SA-Identit LOOKUP-asset_lookup_dvc_only = asset_lookup_dvc_only dvc OUTPUT dvc_owner,dvc_priority,dvc_lat,dvc_long,dvc_city,dvc_country,dvc_bunit,dvc_category,dvc_pci_domain,dvc_is_expected,dvc_should_timesync,dvc_should_update
SA-Identit LOOKUP-asset_lookup_host_only = asset_lookup_host_only host OUTPUT host_owner,host_priority,host_lat,host_long,host_city,host_country,host_bunit,host_category,host_pci_domain,host_is_expected,host_should_timesync,host_should_update
SA-Identit LOOKUP-asset_lookup_orig_host_only = asset_lookup_orig_host_only orig_host OUTPUT orig_host_owner,orig_host_priority,orig_host_lat,orig_host_long,orig_host_city,orig_host_country,orig_host_bunit,orig_host_category,orig_host_pci_domain,orig_host_is_expected,orig_host_should_timesync,orig_host_should_update
SA-Identit LOOKUP-asset_lookup_src_only = asset_lookup_src_only src OUTPUT src_owner,src_priority,src_lat,src_long,src_city,src_country,src_bunit,src_category,src_pci_domain,src_is_expected,src_should_timesync,src_should_update
SA-AccessP LOOKUP-src_user_account_lookup = user_account_lookup user as src_user OUTPUTNEW is_privileged as src_user_is_privileged,is_default as src_user_is_default,is_watchlist as src_user_is_watchlist
SA-AccessP LOOKUP-user_account_lookup = user_account_lookup user OUTPUTNEW is_privileged as user_is_privileged,is_default as user_is_default,is_watchlist as user_is_watchlist
system     MAX_DAYS_AGO = 2000
system     MAX_DAYS_HENCE = 2
system     MAX_DIFF_SECS_AGO = 3600
system     MAX_DIFF_SECS_HENCE = 604800
system     MAX_EVENTS = 256
system     MAX_TIMESTAMP_LOOKAHEAD = 128
system     MUST_BREAK_AFTER =
system     MUST_NOT_BREAK_AFTER =
system     MUST_NOT_BREAK_BEFORE =
SplunkDire REPORT-AuditUser = loa-audituser
SplunkDire REPORT-MultiValueAudit = loa-MultiValueAudit
system     SEGMENTATION = indexing
system     SEGMENTATION-all = full
system     SEGMENTATION-inner = inner
system     SEGMENTATION-outer = outer
system     SEGMENTATION-raw = none
system     SEGMENTATION-standard = standard
SplunkDire SHOULD_LINEMERGE = True
system     TRANSFORMS =
system     TRUNCATE = 10000
system     maxDist = 100
SplunkDire priority = 100