I am trying to import "LEEF" formatted data (from an IBM mainframe) into Splunk, but none of the name / value pairs are recognized. There is question in Splunk community from 2011 regarding this same issue which was not answered. Should I just use the manual field extraction for this type of data or is this a known log format which Splunk can handle?
See sample log event below:
"LEEF:1.0|IBM|RACF|2.2.1|80 27.0|devTimeFormat=yyyy-MM-dd'T'HH:mm:ss.SSSZ devTime=2017-02-27T14:01:47.630-0500 usrName=U020005 name=LISA DODARO usrPriv= usrGroups= ICTXname= ICTXreg= job=JB0 27 Feb 2017 14:01:46.26 U0200051 intent= allow= class=MXADMIN prof= res= vol= dsn= sens= own= box= terminal= poe= logstr=CSQH RESLEVEL CHECK PERFORMED AGAINST PROFILE(MQGP.RESLEVEL), CLASS(MXADMIN), ACCESS EQUATES TO (NONE) auth= desc=Success reason= appl= sum=RACF GENERAL success for U020005: logstr=CSQH RESLEVEL CHECK PERFORMED AGAINST PROFILE(MQGP.RESLEVEL), CLASS(MXADMIN), ACCESS EQUATES TO (NONE) cmd="
[YourSourcetypeHere] TRANSFORMS-index_time_field_extractions = LEEF_KVP #REPORT-search_time_field_extractions = LEEF_KVP
[LEEF_KVP] REGEX = (\w+)=([^=]+)(?:\s+|$) FORMAT = $1::$2 MV_ADD = true
MV_ADD = [true|false]
* NOTE: This attribute is only valid for search-time field extractions.
Thus, you need to use REPORT- not TRANSFORMS-
Thanks Dan. Problem solved. Woodcock, thank you also for taking the time to responsd.