Splunk Dev

Breaking up syslog sourcetype

dramage
Engager

Good afternoon,
I am working on trying to divide my network devices up so that I have different sourcetypes for each vendor, and then ultimately ship them off to different indexes as well. These devices all things like routers and switches, so I need to use their builtin syslog services. Unfortunately, I'm not understanding the documentation properly and it is not working.

I'm focusing on Nokia gear for the time being, here is a sanitized example log entry from a Nokia device:

Jan  5 13:27:51 123.123.123.123 TMNX: 803766 Base BGP-WARNING-bgpBackwardTransition-2002 [Peer 1: 123.123.123.123]:  VR 1: Group mpBGP-IPv4: Peer 123.123.123.123: moved from higher state OPENSENT to lower state IDLE due to event TCP SOCKET ERROR

Here's the stanza from my transforms.conf:

[nokia]
REGEX = TMNX
FORMAT = sourcetype::nokia
DEST_KEY = MetaData:Sourcetype

And here's from props.conf:

[source::udp:514]
TRANSFORMS-nokia = nokia

I am getting data in, but it's all just showing up under the sourcetype of syslog. Thanks in advance for your help.

Tags (1)
0 Karma
1 Solution

alemarzu
Motivator

Hi there @dramage

Please, try like this.

props.conf

[syslog]
TRANSFORMS-syslog_to_nokia_sourcetype = renaming_to_nokia

transforms.conf

[renaming_to_nokia]
REGEX = TMNX
FORMAT = sourcetype::nokia
DEST_KEY = MetaData:Sourcetype

Hope it helps.

View solution in original post

alemarzu
Motivator

Hi there @dramage

Please, try like this.

props.conf

[syslog]
TRANSFORMS-syslog_to_nokia_sourcetype = renaming_to_nokia

transforms.conf

[renaming_to_nokia]
REGEX = TMNX
FORMAT = sourcetype::nokia
DEST_KEY = MetaData:Sourcetype

Hope it helps.

risgupta
Path Finder

Could you please check your inputs.conf, where you have mentioned your TCP/UDP method to collect data. Make sure you have defined
sourcetype = nokia
for your monitored data.

0 Karma

mayurr98
Super Champion

I do not see any flaws in your configuration.had you perform splunkd restart after editing the configuration?

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Are you sending data directly to Splunk via UDP port monitoring in Splunk OR using syslog-ng (or similar) tool to receive data and having Splunk monitor the written log files? Based on configuration you've put it, I'm guessing it's the former, so where does these conf file setting exist (which Splunk server), Heavy Forwarder/Universal Forwarder or Indexer? Did you restart Splunk after adding those configuration entry.

0 Karma

dramage
Engager

You are correct, we are simply sending data directly to Splunk over UDP.
We don't yet have enough traffic to need multiple Splunk servers, so everything is running on one system.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...