Hi Answers,
I'm currently using the following apps:
Cisco Networks App for Splunk Enterprise 2.5.8 (https://splunkbase.splunk.com/app/1352/)
Cisco Networks Add-on for Splunk Enterprise 2.5.8(https://splunkbase.splunk.com/app/1467/)
I'm collecting the logs from the devices via syslog:
Here is how the raw log looks in Splunk:
Oct 9 16:14:04 syslog-server.domain.com 1 aa-bbbb-ccc: *pemReceiveTask: Oct 09 16:13:56.935: %DTL-6-OSARP_ADD_FAILED: [SS]dtl_arp.c:1549 Unable to add an ARP entry for x.x.x.x to the operating system. No such device.*
syslog-server.domain.com = syslog server (some device names have "-" in them)
aa-bbbb-ccc = device (some device names have "-" in them)
Splunk extracts the host=syslog-server.domain.com and dvc=syslog-server.domain.com. When I apply the syslog-header-stripper-ts-host to both the props.conf and transforms.conf, but that doesn't change the host and dvc values.
TA-cisco_ios\props.conf
[source::udp:514]
TRANSFORMS-strip-syslog = syslog-header-stripper-ts-host
TRANSFORMS-force_sourcetype_for_cisco_ios = force_sourcetype_for_cisco_ios, force_sourcetype_for_cisco_ios-xr, force_sourcetype_for_cisco_ios-xe
SHOULD_LINEMERGE = false
MAX_TIMESTAMP_LOOKAHEAD = 100
TA-cisco_ios\transforms.conf
# This will strip the syslog header (date stamp and host) from a syslog event
[syslog-header-stripper-ts-host]
REGEX = ^[A-Z][a-z]+\s+\d+\s\d+:\d+:\d+\s[^\s]*\s\d\s(.*)$
FORMAT = $1
DEST_KEY = _raw
The syslog-header-stripper-ts-host data looks like:
aa-bbbb-ccc: *pemReceiveTask: Oct 09 16:09:56.926: %DTL-6-OSARP_ADD_FAILED: [SS]dtl_arp.c:1549 Unable to add an ARP entry for x.x.x.x to the operating system. No such device.*
In this case the host and dvc still are set to syslog-server.domain.com. How do I change the value of host and dvc to aa-bbbb-ccc ?
I appreciate the help.
Hi hfernandez_hfernandez_,
I'm not sure about your regex because I cannot read it, please use the Code Sample button (the one with 101010), so I give you my regex for host field that you have to extract at index time:
^\w+\s+\d+\s+\d+:\d+:\d+\s+[^ ]*\s+\d+\s+([^:]*)
that you can test at https://regex101.com/r/iOnbKJ/1
Then at search time you can extract the dvc field with this regex:
^\w+\s+\d+\s+\d+:\d+:\d+\s+(?<dvc>[^ ]*)
that you can test at https://regex101.com/r/iOnbKJ/2
In addition, where do you deployed this TA?
it must be on Indexers.
Bye.
Giuseppe
Hi hfernandez_hfernandez_,
I'm not sure about your regex because I cannot read it, please use the Code Sample button (the one with 101010), so I give you my regex for host field that you have to extract at index time:
^\w+\s+\d+\s+\d+:\d+:\d+\s+[^ ]*\s+\d+\s+([^:]*)
that you can test at https://regex101.com/r/iOnbKJ/1
Then at search time you can extract the dvc field with this regex:
^\w+\s+\d+\s+\d+:\d+:\d+\s+(?<dvc>[^ ]*)
that you can test at https://regex101.com/r/iOnbKJ/2
In addition, where do you deployed this TA?
it must be on Indexers.
Bye.
Giuseppe
Hi Giuseppe,
I appreciate the reply and guidance. The sample code comes from the etc/system/default/transforms.conf file under the stanza:
# This will strip the syslog header (date stamp and host) from a syslog event
[syslog-header-stripper-ts-host]
REGEX = ^[A-Z][a-z]+\s+\d+\s\d+:\d+:\d+\s[^\s]*\s(.*)$
FORMAT = $1
DEST_KEY = _raw
Ah, here's more background info. We have Splunk Cloud and the app and TA are installed to both Cloud SHs and INDs. The syslog data is being sent to an on-prem HF via UDP port and I'm configuring the TA there. The challenge is that the App Dashboards show the host and dvc as the syslog server vs the actual network device. I would simply change the field name in the code, but the actual device name is not capture. How do I go about setting the host and/or dvc to the actual device name at index time in the TA? I appreciate it.
Ok, I was able to get it to work. I applied your regex and the the following code to the the TA's props.conf and transforms.conf files. Here is the code:
TA-cisco_ios\props.conf
[source::udp:514]
TRANSFORMS-force_host= force_real_host
and
TA-cisco_ios\transforms.conf
[force_real_host]
REGEX = ^\w+\s+\d+\s+\d+:\d+:\d+\s+[^ ]*\s+\d+\s+([^:]*)
FORMAT = host::$1
DEST_KEY = MetaData:Host
I appreciate the help. Hope this helps others.
Hi hfernandez_,
did you solved?
Bye.
Giuseppe
Hi Giuseppe,
Yes, I was able to put together all the pieces and got it to work. I appreciate the help in pointing me in the right direction.