https://community.splunk.com/t5/Getting-Data-In/Creating-Splunk-App-to-parse-syslogs/m-p/542153#M90607 <P>I would like to find a detaild tutorial on how to create a splunk app to parse syslogs, with pre-defined field names, not the automatic key/value that splunk is able to detect.</P><P>I have syslogs with different log types, I wonder if there is some documentation/tutorial on this. Can anyone point in the right direction? I am new to splunk. Thanks.</P> Wed, 03 Mar 2021 13:21:54 GMT hm222jy 2021-03-03T13:21:54Z https://community.splunk.com/t5/Getting-Data-In/Creating-Splunk-App-to-parse-syslogs/m-p/542153#M90607 <P>I would like to find a detaild tutorial on how to create a splunk app to parse syslogs, with pre-defined field names, not the automatic key/value that splunk is able to detect.</P><P>I have syslogs with different log types, I wonder if there is some documentation/tutorial on this. Can anyone point in the right direction? I am new to splunk. Thanks.</P> Wed, 03 Mar 2021 13:21:54 GMT https://community.splunk.com/t5/Getting-Data-In/Creating-Splunk-App-to-parse-syslogs/m-p/542153#M90607 hm222jy 2021-03-03T13:21:54Z https://community.splunk.com/t5/Getting-Data-In/Creating-Splunk-App-to-parse-syslogs/m-p/542171#M90609 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/232080">@hm222jy</a>,</P><P>to do this you have the following items:</P><UL><LI>identify each type pf syslog fpr your flows,</LI><LI>group all the one with the same structure,</LI><LI>create a sourcetype for each type defining the specifications of each one:<UL><LI>event breaks,</LI><LI>timestamp,</LI><LI>field extractions,</LI><LI>eventtypes,</LI><LI>tags,</LI><LI>aliases,</LI><LI>fields calculations.</LI></UL></LI><LI>eventually check the CIM compliance of your sourcetypes.</LI></UL><P>all these configurations will be in props.conf and transforms.conf files that you can put in one or more Technical Add-Ons (TAs).</P><P>You can find documentazione about this in:</P><P><A href="https://docs.splunk.com/Documentation/Splunk/8.1.2/Data/WhatSplunkcanmonitor" target="_blank">https://docs.splunk.com/Documentation/Splunk/8.1.2/Data/WhatSplunkcanmonitor</A></P><P><A href="https://docs.splunk.com/Documentation/Splunk/8.1.2/Admin/Configurationparametersandthedatapipeline" target="_blank">https://docs.splunk.com/Documentation/Splunk/8.1.2/Admin/Configurationparametersandthedatapipeline</A></P><P><A href="https://docs.splunk.com/Documentation/CIM/4.18.0/User/Overview" target="_blank">https://docs.splunk.com/Documentation/CIM/4.18.0/User/Overview</A></P><P>Ciao.</P><P>Giuseppe</P> Wed, 03 Mar 2021 14:17:57 GMT https://community.splunk.com/t5/Getting-Data-In/Creating-Splunk-App-to-parse-syslogs/m-p/542171#M90609 gcusello 2021-03-03T14:17:57Z https://community.splunk.com/t5/Getting-Data-In/Creating-Splunk-App-to-parse-syslogs/m-p/542184#M90610 <P>Grazie Giuseppe.&nbsp; The documentation sometimes is hard to digest for newbies but will try to go through it.&nbsp;</P> Wed, 03 Mar 2021 15:19:18 GMT https://community.splunk.com/t5/Getting-Data-In/Creating-Splunk-App-to-parse-syslogs/m-p/542184#M90610 hm222jy 2021-03-03T15:19:18Z https://community.splunk.com/t5/Getting-Data-In/Creating-Splunk-App-to-parse-syslogs/m-p/542185#M90611 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/232080">@hm222jy</a>,</P><P>try to have the documentation of the Admin Training, or (better) follow this training.</P><P>It's also useful to follow the Sales Engineers I and II Training Courses, where log ingestion is described .</P><P>Ciao and happy splunking.</P><P>Giuseppe</P> Wed, 03 Mar 2021 15:23:20 GMT https://community.splunk.com/t5/Getting-Data-In/Creating-Splunk-App-to-parse-syslogs/m-p/542185#M90611 gcusello 2021-03-03T15:23:20Z