https://community.splunk.com/t5/Getting-Data-In/Help-with-Parsing-props-conf-and-transforms-conf/m-p/217306#M96208 <P>Hi Everyone,</P> <P>I cannot figure what I am doing wrong. <BR /> I am using pfsense and I am receiving the logs into splunk but the logs are not being formatted.</P> <P>This is the event which I am receiving in splunk</P> <P>Nov 10 20:12:12 FWPFS001.localdomain Nov 11 15:12:12 filterlog: 84,16777216,,1000003811,igb0,match,pass,out,4,0x0,,127,2445,0,none,17,udp,1378,192.168.0.100,216.58.199.46,28180,443,1358</P> <P>As you can see it is not being tagged with what is configured in the props.conf and transforms.conf</P> <P>Here are my config files.</P> <P>[syslog]<BR /> SHOULD_LINEMERGE = true<BR /> TRUNCATE = 0<BR /> MUST_NOT_BREAK_AFTER = pf: .* rule ([-\d]+\/\d+)(.<EM>?):<BR /> MUST_BREAK_AFTER = pf: .</EM> (&lt;|&gt;) +(\d+.\d+.\d+.\d+).?(\d*):<BR /> REPORT-pf2 = pf2</P> <P>Transforms.conf<BR /> [pf2]</P> <P>REGEX= .* (?pass|block) .* (?TCP|UDP|IGMP|ICMP) .* (?(\d+.\d+.\d+.\d+)).?(?(\d*)) <A href="https://community.splunk.com/?(d+.d+.d+.d+)" target="_blank">&lt;|&gt;</A>.?(?(\d*)): (.*)</P> <P>Any help is greatly appreciated.</P> Tue, 29 Sep 2020 11:44:30 GMT dsofoulis 2020-09-29T11:44:30Z https://community.splunk.com/t5/Getting-Data-In/Help-with-Parsing-props-conf-and-transforms-conf/m-p/217306#M96208 <P>Hi Everyone,</P> <P>I cannot figure what I am doing wrong. <BR /> I am using pfsense and I am receiving the logs into splunk but the logs are not being formatted.</P> <P>This is the event which I am receiving in splunk</P> <P>Nov 10 20:12:12 FWPFS001.localdomain Nov 11 15:12:12 filterlog: 84,16777216,,1000003811,igb0,match,pass,out,4,0x0,,127,2445,0,none,17,udp,1378,192.168.0.100,216.58.199.46,28180,443,1358</P> <P>As you can see it is not being tagged with what is configured in the props.conf and transforms.conf</P> <P>Here are my config files.</P> <P>[syslog]<BR /> SHOULD_LINEMERGE = true<BR /> TRUNCATE = 0<BR /> MUST_NOT_BREAK_AFTER = pf: .* rule ([-\d]+\/\d+)(.<EM>?):<BR /> MUST_BREAK_AFTER = pf: .</EM> (&lt;|&gt;) +(\d+.\d+.\d+.\d+).?(\d*):<BR /> REPORT-pf2 = pf2</P> <P>Transforms.conf<BR /> [pf2]</P> <P>REGEX= .* (?pass|block) .* (?TCP|UDP|IGMP|ICMP) .* (?(\d+.\d+.\d+.\d+)).?(?(\d*)) <A href="https://community.splunk.com/?(d+.d+.d+.d+)" target="_blank">&lt;|&gt;</A>.?(?(\d*)): (.*)</P> <P>Any help is greatly appreciated.</P> Tue, 29 Sep 2020 11:44:30 GMT https://community.splunk.com/t5/Getting-Data-In/Help-with-Parsing-props-conf-and-transforms-conf/m-p/217306#M96208 dsofoulis 2020-09-29T11:44:30Z https://community.splunk.com/t5/Getting-Data-In/Help-with-Parsing-props-conf-and-transforms-conf/m-p/217307#M96209 <P>It is unclear if the regular expression works, or if the markup formatting ate parts of what is visible. Regardless, your <CODE>transforms.conf</CODE> stanza may not be complete.</P> <P>Let us assume that you want to create a report for three basic fields: <CODE>action</CODE>, <CODE>protocol</CODE> and <CODE>source ip</CODE>. In this case we are making an assumption that the desired matches are as follows:</P> <P><STRONG>Nov 10 20:12:12 FWPFS001.localdomain Nov 11 15:12:12 filterlog: 84, 16777216, , 1000003811, igb0, match, <CODE>pass</CODE>,out,4,0x0,,127,2445,0,none,17, <CODE>udp</CODE>,1378, <CODE>192.168.0.100</CODE>, 216.58.199.46,28180,443,1358</STRONG></P> <P>In this case, the corresponding props.conf entry will be:</P> <PRE><CODE>[syslog] ... REPORT-pf2 = pf2 </CODE></PRE> <P>And, the transforms.conf entry is as follows:</P> <PRE><CODE>[pf2] REGEX = .+?(pass|block).+?(tcp|udp|igmp|icmp).+?(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) FORMAT = action::$1 protocol::$2 src::$3 </CODE></PRE> <P>That should do it. At this point, the data should be represented cleanly in user interface.</P> <P>I hope this helps you,</P> <P>-gc</P> Fri, 11 Nov 2016 16:53:15 GMT https://community.splunk.com/t5/Getting-Data-In/Help-with-Parsing-props-conf-and-transforms-conf/m-p/217307#M96209 Gilberto_Castil 2016-11-11T16:53:15Z https://community.splunk.com/t5/Getting-Data-In/Help-with-Parsing-props-conf-and-transforms-conf/m-p/217308#M96210 <P>If I want to create a report with action, protocol, source ip and destination ip. What should I add in the transforms.conf?</P> Thu, 31 May 2018 06:38:34 GMT https://community.splunk.com/t5/Getting-Data-In/Help-with-Parsing-props-conf-and-transforms-conf/m-p/217308#M96210 jawadak 2018-05-31T06:38:34Z