** I am trying get the three IP addresses to use a new sourcetye when they send in data.
Props.conf reads :
[source::udp:514]
TRANSFORMS-riverbed_src = riverbed_steelhead
TRANSFORMS-changesourcetype = sourcetype_cisco_asa
transforms.conf reads :
[riverbed_steelhead]
REGEX = (10.12.0.20:10.0.0.33:10.10.20.185)
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::riverbed_steelhead
[sourcetype_cisco_asa]
REGEX = (10.12.254.1:10.10.20.254:10.1.250.254)
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::cisco_asa
I get the Error :
Possible typo in stanza [riverbed_steelhead] in transforms.conf. Line 4
Possible typo in stanza [sourcetype_cisco_asa] in transforms.conf. Line 10
Can someone help me find my problem please.
FYI : I also tried the format :
REGEX = (10.12.0.20|10.0.0.33|10.10.20.185)**
I am wondering if the error is because you are using the incorrect syntax for the regex. If you want more than one ip address to matches with the REGEX then you need to separate them with a pipe symbol and not a colon. Here is an example of what I would try:
[riverbed_steelhead]
REGEX = (10.12.0.20|10.0.0.33|10.10.20.185)
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::riverbed_steelhead
I tried it and still got the same error.
see my comment above for the explanation to your error. You can't have two TRANSFORMS lines in a single props.conf stanza.
Thanks for the reply.
I am getting the logs sent to the new source type.
I still get that error though.
Can I have the logs to go to just the new sourcetype and not to syslogs at all ?
Thanks
I am new to this.
First time I am setting up Splunk. I am no where close to being a REGEX Guru.
The error that I get is :
I get the Error :
Possible typo in stanza [riverbed_steelhead] in transforms.conf. Line 4
Thanks
..and what error was it throwing at you? Can you paste it pls?
Well your original statement posting did indeed indicate that as the way you were going vistasyslog in the trasforms and props?!
If you are talking about the indexer, yes that is what it is now expecting. If you are talking forwarder then yes, that's where it will be sending...
As Ayn said - are you new to this? No probs if so, just say - then peeps won't assume you are a guru on regex (for example)...they just want to help. Full problem statements get better results, trust me - we all need it.
The reason for the typo is you have two TRANSFORMS configurations when you should only have one. Instead of the two lines you have there, use:
TRANSFORMS-changesourcetype = riverbed_steelhead, sourcetype_cisco_asa
If you need to add more transforms.conf stanzas to this source, you just append them to the line, comma separated.
One thing I dont understand is, when I restart Splunk, why do I get the typo error ?
Is the above change going to make the IP addresses stop using syslog sourcetype and use just the riverbed_steelhead sourcetype ?
If you want Splunk to read from the host field rather than the _raw
field, then you must tell it to do so, yes.
SOURCE_KEY = MetaData:Host
REGEX = (10\.12\.0\.20|10\.0\.0\.33|10\.10\.20\.185)
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::riverbed_steelhead
I am figuring it out.
I thought the backslash before every dot on the IP address was the right way to do it.
I am getting typos for the first line though.
Should I specify a source key ?
All I need is a way to have 10.10.20.185 use the sourcetype as riverbed_steelhead instead of syslog.
Thanks mate, appreciated.
Your regexes look weird, vistasyslog. Do you know how to write regexes, or figuring out as you go along? Because :
is definitely not interpreted as an OR operator in regular expressions. |
is, though.
Also you're not specifying a SOURCE_KEY
, which means Splunk will match against the raw event data. Is this what you want, or do you want to read from the host field?
Either indent code blocks with four spaces at the start of each line (this line needs to have empty lines before and after), or use backticks. This should make code show properly.
May I just check - you have tried "10\.12\.0\.20""etc..."
Understood - I know the issue re slashes (forward or backwards) being a representation issue...it's something to do with the formatting of responses and can be overcome. I'm not sure how as yet, but others have kindly corrected my stuff and I need to learn too! 😉
there is a backslash before each ".", which for some reason is not showing up when I type it here.
I also tried : [10.12.0.20|10.0.0.33) and that did not work either.
I dont understand the typo in the first line.
Don't you need to escape the dots vistasyslog? Point / dot is a metacharacter in regular expressions. Usually fixed ones are in quotes? I'll try sort the regex out unless somebody does it first...