All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to modify the inputs for the EMC Isilon Add-on for Splunk Enterprise to properly parse all fields?

Makinde
New Member
‎02-09-2016 02:31 PM

I would like to use the EMC Isilon Add-on for Splunk Enterprise, but I don't want the add-onto query my device for any logs.

I am currently sending the Isilon logs to a folder on the Splunk forwarder through Syslog. I created a local folder in the add-on folder and create an inputs.conf file with the following information;

[monitor://C:\logs\Isilon]
disable = false
sourcetype = EMC:Isilon:rest

I do receive logs, but the parsed fields are minimal. Basically it passes host, index, event type, sourcetype, line count, and the basics, probably about 10 fields altogether. I believe there are more fields to be parsed, but because of the changes I have made, I have bypassed the script so I feel that's why more fields aren't being parsed.

Does anyone know the app properly and can tell me what to do to get the other fields parsed just as the app was intended?

Thanks,

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

pjvarjani
Path Finder
‎02-10-2016 02:27 AM

Hi,

You are right.Fields in your syslog event are not parsed because you bypassed the script. How to parse the syslog largely depends on syslog type.I am assuming events are not coming in key=value pair here otherwise splunk would have parsed them automatically.

If you want to parse the syslog manually, you need to extract the required fields in props.conf.There are some other features as well in props.conf which might come handy for syslog parsing. Below is the link for sample props.conf:

http://docs.splunk.com/Documentation/Splunk/6.1/Admin/propsconf

Thanks,
Pankaj

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

pjvarjani
Path Finder
‎02-10-2016 02:27 AM

Hi,

You are right.Fields in your syslog event are not parsed because you bypassed the script. How to parse the syslog largely depends on syslog type.I am assuming events are not coming in key=value pair here otherwise splunk would have parsed them automatically.

If you want to parse the syslog manually, you need to extract the required fields in props.conf.There are some other features as well in props.conf which might come handy for syslog parsing. Below is the link for sample props.conf:

http://docs.splunk.com/Documentation/Splunk/6.1/Admin/propsconf

Thanks,
Pankaj

0 Karma
Reply
Solved! Jump to solution

pjvarjani
Path Finder
‎08-17-2016 06:28 AM

Hi,

We have added new dashboard for syslog and Audit logs latest EMC Isilon app. TA is also updated to receive Isilon syslogs on port 514.
You can download the latest isilon app and add-on (version 2.0) from the splunkbase and test the syslog integration in your environment.

Thanks,
Pankaj

Reply
Solved! Jump to solution

gorla
New Member
‎03-01-2018 08:46 AM

Hi Folks,

Good day!

We've also similar scenario in our env. We do configured both audit_config and audit_protocol with heavy forwarder Ip in isilon /etc/mcp/override/syslog.config. we can see few system logs ,but not share operation logs ( like delete file ,rename file etc) ...Anyone has any insights on the same. Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...