https://community.splunk.com/t5/Getting-Data-In/Extracting-fields-from-different-syslog-messages-using-props/m-p/178611#M35815 <P>Thank you !,</P> Fri, 08 May 2015 19:17:05 GMT Thuan 2015-05-08T19:17:05Z https://community.splunk.com/t5/Getting-Data-In/Extracting-fields-from-different-syslog-messages-using-props/m-p/178609#M35813 <P>The syslog messages we receive from the firewall have multiple formats. A limited sample is listed below</P> <P>Apr 30 15:26:20 147.81.86.22 %ASA-4-313004: Denied ICMP type=0, from laddr 10.11.20.59 on interface outside to 147.81.104.109: no matching session<BR /> Apr 29 13:39:31 147.81.86.22 %ASA-6-605004: Login denied from 72.81.224.40/63508 to inside:72.81.86.22/ssh for user "dstrollo"<BR /> Apr 28 13:58:47 147.81.37.241 %ASA-3-710003: TCP access denied by ACL from 45.64.188.70/48986 to Internet:72.83.128.9/23</P> <P>Our requirement is to be able to extract all the fields in these messages for our analysts.</P> <P>My question is whether the configuration below will work. If it doesn't it may mess up the existing index. Any advice will be much appreciated.</P> <P>In props.conf, I set up a basic search to extract the syslog message in each record. The results are listed below</P> <P>Denied ICMP type=0, from laddr 10.11.20.59 on interface outside to 147.81.104.109: no matching session<BR /> Login denied from 72.81.224.40/63508 to inside:72.81.86.22/ssh for user "dstrollo"<BR /> TCP access denied by ACL from 45.64.188.70/48986 to Internet:72.83.128.9/23</P> <P>The props.conf is listed below</P> <P>[syslog]</P> <H1>-------</H1> <P>NO_BINARY_CHECK = 1<BR /> pulldown_type = 1<BR /> BREAK_ONLY_BEFORE_DATE = false<BR /> TIME_PREFIX = ^</P> <H1>%Y = year, %m = month, %d = day, %H = hour, %M = minute, %S = seconds, %z = time zone offset</H1> <H1>example = 2015-03-25T16:22:01-04:00</H1> <H1>the - ( in -4:00 =&gt; %z ) is part of the timezone specification (UTC-04:00 versus UTC+04:00)</H1> <P>TIME_FORMAT = %Y-%m-%dT%H:%M:%S%z<BR /> EXTRACT-syslog = \s(?[^\s]+)\s(?[^:]+:)\s(?.+)</P> <P>Then I use different transforms to process each message type separately at search time</P> <P>In props.conf</P> <P>[syslog]<BR /> ....<BR /> EXTRACT-syslog = "as above"<BR /> REPORT-SyslogMsg = SyslogMsg1, SyslogMsg2, SyslogMsg3</P> <P>In trasnforms.conf</P> <P>[SyslogMsg1]<BR /> REGEX = "extract fields in Msg1"</P> <P>SyslogMsg2<BR /> REGEX = "extract fields in Msg2"</P> <P>SyslogMsg3<BR /> REGEX = "extract fields in Msg3"</P> <P>Thank you.</P> Mon, 28 Sep 2020 19:48:40 GMT https://community.splunk.com/t5/Getting-Data-In/Extracting-fields-from-different-syslog-messages-using-props/m-p/178609#M35813 Thuan 2020-09-28T19:48:40Z https://community.splunk.com/t5/Getting-Data-In/Extracting-fields-from-different-syslog-messages-using-props/m-p/178610#M35814 <P>It will work and even if it doesn't, because you are using the "REPORT-" directive (Search-time) instead of the "TRANSFORMS-" (or "EXTRACT-") directive (Index-time), it will not do any permanent modifications so there is no risk. Is there really missing backslashes for this transform or did you just mess up the markdown for it:</P> <P>I would make sure each of your 3 REGEX strings contains the string literal text for each individual message variation to avoid false extractions (e.g. "ASA-4-313004", "ASA-6-605004", and "ASA-3-710003").</P> <P>P.S. You do not need the "EXTRACT-syslog" more than once.</P> Sat, 02 May 2015 13:34:31 GMT https://community.splunk.com/t5/Getting-Data-In/Extracting-fields-from-different-syslog-messages-using-props/m-p/178610#M35814 woodcock 2015-05-02T13:34:31Z https://community.splunk.com/t5/Getting-Data-In/Extracting-fields-from-different-syslog-messages-using-props/m-p/178611#M35815 <P>Thank you !,</P> Fri, 08 May 2015 19:17:05 GMT https://community.splunk.com/t5/Getting-Data-In/Extracting-fields-from-different-syslog-messages-using-props/m-p/178611#M35815 Thuan 2015-05-08T19:17:05Z