topic Re: Tab separated events in log - how do I parse it into fields? in Getting Data In

Tab separated events in log - how do I parse it into fields?

brent_weaver — Mon, 13 Feb 2017 12:31:39 GMT

I dont know why I cannot get this to work BUT, I have a log that is TSV and I want to carve out the fields. Beyond TSV the first field needs to be parsed as colon separated and my timestamp is the second part of that first field. How do I accomplish this? These are actually bro logs that do not parse correctly with he Spunk App for bro IDS. This app is for v2.4< and we are on 2.5. Any help is much appreciated!

Re: Tab separated events in log - how do I parse it into fields?

richgalloway — Mon, 13 Feb 2017 14:11:59 GMT

Some sample data would be helpful.

Re: Tab separated events in log - how do I parse it into fields?

jkat54 — Mon, 13 Feb 2017 15:32:42 GMT

I find it hard to believe the bro logs dont parse correctly with the splunk app for bro IDS. Did you follow the installation instructions completely?

Do you have a distributed splunk install? If so, where did you put the props?

Re: Tab separated events in log - how do I parse it into fields?

brent_weaver — Mon, 13 Feb 2017 16:03:46 GMT

I did follow the instructions, which clearly state that it is compatible with =

Re: Tab separated events in log - how do I parse it into fields?

brent_weaver — Mon, 13 Feb 2017 16:05:13 GMT

A sample data would be:

1/3/2016 11:05:05\tfield1\tfield2\tfield3

please note that I cannot put the tabs in there so I used the \t esc character. This is just a sample of data for testing purposes.
Thanks!

Re: Tab separated events in log - how do I parse it into fields?

jkat54 — Mon, 13 Feb 2017 16:09:18 GMT

Here's one way, put this props on your forwarders & indexers.

[sourcetypeName]
INDEXED_EXTRACTIONS=TSV
FIELD_NAMES = _time, fielda, fieldb, fieldc

Re: Tab separated events in log - how do I parse it into fields?

brent_weaver — Tue, 29 Sep 2020 12:50:39 GMT

Here is my props.conf:

splunk[/opt/splunk/etc/apps/bro/local] # cat props.conf
[bro]
INDEXED_EXTRACTIONS = TSV
FIELD_NAMES = field1, field2, field3, field4
splunk[/opt/splunk/etc/apps/bro/local] #

This did not work, I am sorry.

Re: Tab separated events in log - how do I parse it into fields?

jkat54 — Mon, 13 Feb 2017 16:24:41 GMT

I noticed this is in /opt/splunk... Do you have a distributed environment?

Can you explain the integration's architecture like below?

bro logs -> universal forwarder -> indexer -> search heads

or maybe

bro logs -> indexer & search head

etc.