I might be mistaken, but I don’t believe there is a direct inspector available to retrieve this information. However, since all UID and GID values are stored in ‘/etc/passwd’, you can use the following relevance to fetch this information.
I don’t have access to ‘splunkfwd’ to test, but I used my test ID and was able to retrieve values in the following format.
Q: "UID:" & (preceding text of first ":" of following text of first "x:" of lines whose (it contains "TestUser") of file "/etc/passwd"), "GID:" & (following text of first ":" of following text of first ":" of following text of first ":" of preceding text of first ":TestUser" of lines whose (it contains "TestUser") of file "/etc/passwd")
A: UID:1000, GID:1000
T: 460
If you encounter any issues, simply extract the line containing ‘splunkfwd’ from the file ‘/etc/passwd’, and someone will be able to assist you
I found this (source fixlet ID # 126441, CIS Checklist RHEL 7) one as well, its amazing, it give you more power & fetch any desired result from the lines.
(regex "^(.*):(.*):(.*):(.*):(.*):(.*):(.*)$") : This applies a regular expression pattern to each line to capture different fields (such as username, UID, GID, etc.).
(parenthesized part 3 of it) : This extracts the third parenthesized part of the regular expression match, you can change these numeric value to fetch any result from the lines.
Q: (parenthesized part 1 of first matches (regex "^(.*):(.*):(.*):(.*):(.*):(.*):(.*)$") of lines whose (it contains "vkhurava") of (if exists file "/etc/passwd" then file "/etc/passwd" else error "no file: /etc/passwd")) as string, "UID: " & (parenthesized part 3 of first matches (regex "^(.*):(.*):(.*):(.*):(.*):(.*):(.*)$") of lines whose (it contains "vkhurava") of (if exists file "/etc/passwd" then file "/etc/passwd" else error "no file: /etc/passwd")) as string, "GID: " & (parenthesized part 4 of first matches (regex "^(.*):(.*):(.*):(.*):(.*):(.*):(.*)$") of lines whose (it contains "vkhurava") of (if exists file "/etc/passwd" then file "/etc/passwd" else error "no file: /etc/passwd")) as string
A: vkhurava, UID: 1000, GID: 1000
T: 640