Archive
Highlighted

How to use props and transform.conf in splunk

Builder

Hi Experts,

I am injecting below logs into splunk using file input.

cs2Label=Original Category Outcome cs3Label=Original Device Product cs4Label=Internal Host cs5Label=Malicious IP Address

After parsing into splunk I can see below output
cs2Label=Original
cs3Label=Original
cs4Label=Internal
cs5Label=Malicious

So from the output it is clear that it is ignoring string after first space . So I tried my own regex and place it in
transform.conf

[abc]
REGEX = (([\w.:\[\]]+)=(.*?(?=(?:\s[\w.:\[\]]+=|$))))

props.conf

[cef]
TRANSFORMS-blah = abc

Still I can see string is missing in all the fields . Please suggest how I can achieve it using props and transform conf.

Thanks
VG

Tags (1)
0 Karma
Highlighted

Re: How to use props and transform.conf in splunk

SplunkTrust
SplunkTrust

What is the event from? Have you tried using a TA that already has the extractions for the device? Splunk TA Cisco for example if it's a Cisco device? That's the easiest method.

0 Karma
Highlighted

Re: How to use props and transform.conf in splunk

Builder

Actually it was just for the learning purpose .I prepare a sample log and feed it to Splunk using file input.My idea was not to use TA and want to extract fields using these 2 confs . May be this TA use props and transform for extraction and I can get some help from that .

0 Karma
Highlighted

Re: How to use props and transform.conf in splunk

SplunkTrust
SplunkTrust