Archive
Highlighted

Does Splunk recognize LEEF formatted?

Communicator

I am trying to import "LEEF" formatted data (from an IBM mainframe) into Splunk, but none of the name / value pairs are recognized. There is question in Splunk community from 2011 regarding this same issue which was not answered. Should I just use the manual field extraction for this type of data or is this a known log format which Splunk can handle?

See sample log event below:
"LEEF:1.0|IBM|RACF|2.2.1|80 27.0|devTimeFormat=yyyy-MM-dd'T'HH:mm:ss.SSSZ devTime=2017-02-27T14:01:47.630-0500 usrName=U020005 name=LISA DODARO usrPriv= usrGroups= ICTXname= ICTXreg= job=JB0 27 Feb 2017 14:01:46.26 U0200051 intent= allow= class=MXADMIN prof= res= vol= dsn= sens= own= box= terminal= poe= logstr=CSQH RESLEVEL CHECK PERFORMED AGAINST PROFILE(MQGP.RESLEVEL), CLASS(MXADMIN), ACCESS EQUATES TO (NONE) auth= desc=Success reason= appl= sum=RACF GENERAL success for U020005: logstr=CSQH RESLEVEL CHECK PERFORMED AGAINST PROFILE(MQGP.RESLEVEL), CLASS(MXADMIN), ACCESS EQUATES TO (NONE) cmd="

Tags (1)
0 Karma
Highlighted

Re: Does Splunk recognize LEEF formatted?

Esteemed Legend

Like this...

In props.conf:

[YourSourcetypeHere]
TRANSFORMS-index_time_field_extractions = LEEF_KVP
#REPORT-search_time_field_extractions = LEEF_KVP

In transforms.conf:

[LEEF_KVP]
REGEX = (\w+)=([^=]+)(?:\s+|$)
FORMAT = $1::$2
MV_ADD = true
Highlighted

Re: Does Splunk recognize LEEF formatted?

Communicator

Thanks very much for you prompt response. I will try adding those configurations.

0 Karma
Highlighted

Re: Does Splunk recognize LEEF formatted?

Splunk Employee
Splunk Employee

MV_ADD = [true|false]
* NOTE: This attribute is only valid for search-time field extractions.

Thus, you need to use REPORT- not TRANSFORMS-

Highlighted

Re: Does Splunk recognize LEEF formatted?

Esteemed Legend

Good point.

0 Karma
Highlighted

Re: Does Splunk recognize LEEF formatted?

Communicator

Thanks Dan. Problem solved. Woodcock, thank you also for taking the time to responsd.

Best regards,
Steve Rogers

View solution in original post

0 Karma
Highlighted

Re: Does Splunk recognize LEEF formatted?

Esteemed Legend

What was your final solution? Post it here and Accept it (or maybe you used mine, so click Accept on that one).

0 Karma
Highlighted

Re: Does Splunk recognize LEEF formatted?

Communicator

I used the solution provided by Dan [Splunk]. Thanks again for your assistance.

0 Karma
Highlighted

Re: Does Splunk recognize LEEF formatted?

Esteemed Legend

Please do post the actual solution so that others can learn. That's the point.

0 Karma
Highlighted

Re: Does Splunk recognize LEEF formatted?

Communicator

Sorry about that. I thought everyone could see the code posted by Dan.

0 Karma