Removed hard-coded "en-US" which, it turns out, is not necessary.
Added new search to help debug ES asset/identity problem.
Modified search names to add security domain prefix values to each.
Fixed missing "=" char in transforms.conf.
App now passes appinspect for cloud again!
NOTE: The stuff in props.conf doesn't work and I am not sure why.
The splunk-produced stuff for Splunk Authentication events in the "_audit" index has many problems, not the least of which is that it automatically parses the SPL that is logged (because of KV_MODE=auto) and pollutes your event with fake KVPs. This is an even more important problem because if your search has something like "tag=authentication" then these events will be incorrectly pulled into your DMAs! I actually built a proper RegularExpression but Splunk refuses to run it properly no matter what I try.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.