Re: sourcetype extraction issues

chrisgangl · ‎04-21-2020

I'm using the TA pfsense app and I am trying to fix some sourcetype extraction issues. The current app is supposed to use a transform to extract the sourcetype. Most logs have prepended time stamp, but nginx does not. There is a regex that uses a non-capture group to grab the timestamp in most logs and then select the log type for source. I edited this and added an or statement to get the nginx logs, but it does seem to work. So I then created a second transform for sourcetype to get the nginx logs, but that is not working either. What is the proper way to parse the same log stream multiple time inline with a regex and use a transform to label both logs with their proper sourcetypes. I can't see to find a good method for this in the docs. Thanks.

pkt_nspktr · ‎07-02-2020

@chrisgangl, I had similar issues and found a solution that worked for me; see my post https://community.splunk.com/t5/All-Apps-and-Add-ons/TA-pfsense-transforms-conf-pfsense-sourcetyper-....

If that doesn't help, I'm willing to share what little knowledge I've gained beating my head against the desk trying to get this to work for me!

sourcetype extraction issues

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

GA: New Data Management App in Splunk Platform

Announcing Modern Navigation: A New Era of Splunk User Experience

Join the Conversation