props.conf & transform.conf configuration


I need to index some yafscii data. I know how to set up my inputs.conf and indexes.conf configuration files. The data that we're indexing is delimited by the " | " symbol.

The problem we're having is that fields and the values aren't associated. When data is indexed one event will have the fields and then the next event will have the values.

The fields that we are working with are as follows:

start-time| end-time| duration| rtt| proto| sip| sp| dip| dp| srcMacAddress| destMacAddress| iflags| uflags| riflags| ruflags| isn| risn| tag| rtag| pkt| oct| rpkt| roct| applabel| entropy| rentropy| end-reason

How should we configure the props.conf and transforms.conf files?

Tags (1)
0 Karma

Path Finder

Hello. Try this one (e.g. sourcetype=yafscii):


REPORT-yaf = yafscii_parse


DELIMS = "|"
FIELDS = "start-time", "end-time", "duration", "rtt", "proto", "sip", "sp", "dip", "ydp", "srcMacAddress", "destMacAddress", "yiflags", "uflags", "riflags", "ruflags", "isn", "risn", "tag", "rtag", "pkt", "oct", "rpkt", "roct", "applabel", "entropy", "rentropy", "end-reason"

0 Karma