All Apps and Add-ons

sourcetype extraction issues

chrisgangl
New Member

I'm using the TA pfsense app and I am trying to fix some sourcetype extraction issues. The current app is supposed to use a transform to extract the sourcetype. Most logs have prepended time stamp, but nginx does not. There is a regex that uses a non-capture group to grab the timestamp in most logs and then select the log type for source. I edited this and added an or statement to get the nginx logs, but it does seem to work. So I then created a second transform for sourcetype to get the nginx logs, but that is not working either. What is the proper way to parse the same log stream multiple time inline with a regex and use a transform to label both logs with their proper sourcetypes. I can't see to find a good method for this in the docs. Thanks.

0 Karma

pkt_nspktr
Explorer

@chrisgangl, I had similar issues and found a solution that worked for me; see my post https://community.splunk.com/t5/All-Apps-and-Add-ons/TA-pfsense-transforms-conf-pfsense-sourcetyper-....

If that doesn't help, I'm willing to share what little knowledge I've gained beating my head against the desk trying to get this to work for me!

0 Karma
Get Updates on the Splunk Community!

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...

[Coming Soon] Splunk Observability Cloud - Enhanced navigation with a modern look and ...

We are excited to introduce our enhanced UI that brings together AppDynamics and Splunk Observability. This is ...