topic Re: How to use props and transform.conf in splunk in Splunk Enterprise

How to use props and transform.conf in splunk

vikas_gopal — Tue, 28 Feb 2017 10:20:59 GMT

Hi Experts,

I am injecting below logs into splunk using file input.

cs2Label=Original Category Outcome cs3Label=Original Device Product cs4Label=Internal Host cs5Label=Malicious IP Address

After parsing into splunk I can see below output
cs2Label=Original
cs3Label=Original
cs4Label=Internal
cs5Label=Malicious

So from the output it is clear that it is ignoring string after first space . So I tried my own regex and place it in
transform.conf

[abc]
REGEX = (([\w.:\[\]]+)=(.*?(?=(?:\s[\w.:\[\]]+=|$))))

props.conf

[cef]
TRANSFORMS-blah = abc

Still I can see string is missing in all the fields . Please suggest how I can achieve it using props and transform conf.

Thanks
VG

Re: How to use props and transform.conf in splunk

jkat54 — Tue, 28 Feb 2017 10:45:00 GMT

What is the event from? Have you tried using a TA that already has the extractions for the device? Splunk TA Cisco for example if it's a Cisco device? That's the easiest method.

Re: How to use props and transform.conf in splunk

jkat54 — Tue, 28 Feb 2017 10:46:14 GMT

https://splunkbase.splunk.com/app/487/

Re: How to use props and transform.conf in splunk

vikas_gopal — Tue, 28 Feb 2017 11:02:21 GMT

Actually it was just for the learning purpose .I prepare a sample log and feed it to Splunk using file input.My idea was not to use TA and want to extract fields using these 2 confs . May be this TA use props and transform for extraction and I can get some help from that .