Getting Data In

Creating Splunk App to parse syslogs

hm222jy
Engager

I would like to find a detaild tutorial on how to create a splunk app to parse syslogs, with pre-defined field names, not the automatic key/value that splunk is able to detect.

I have syslogs with different log types, I wonder if there is some documentation/tutorial on this. Can anyone point in the right direction? I am new to splunk. Thanks.

0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @hm222jy,

to do this you have the following items:

  • identify each type pf syslog fpr your flows,
  • group all the one with the same structure,
  • create a sourcetype for each type defining the specifications of each one:
    • event breaks,
    • timestamp,
    • field extractions,
    • eventtypes,
    • tags,
    • aliases,
    • fields calculations.
  • eventually check the CIM compliance of your sourcetypes.

all these configurations will be in props.conf and transforms.conf files that you can put in one or more Technical Add-Ons (TAs).

You can find documentazione about this in:

https://docs.splunk.com/Documentation/Splunk/8.1.2/Data/WhatSplunkcanmonitor

https://docs.splunk.com/Documentation/Splunk/8.1.2/Admin/Configurationparametersandthedatapipeline

https://docs.splunk.com/Documentation/CIM/4.18.0/User/Overview

Ciao.

Giuseppe

View solution in original post

hm222jy
Engager

Grazie Giuseppe.  The documentation sometimes is hard to digest for newbies but will try to go through it. 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @hm222jy,

try to have the documentation of the Admin Training, or (better) follow this training.

It's also useful to follow the Sales Engineers I and II Training Courses, where log ingestion is described .

Ciao and happy splunking.

Giuseppe

gcusello
SplunkTrust
SplunkTrust

Hi @hm222jy,

to do this you have the following items:

  • identify each type pf syslog fpr your flows,
  • group all the one with the same structure,
  • create a sourcetype for each type defining the specifications of each one:
    • event breaks,
    • timestamp,
    • field extractions,
    • eventtypes,
    • tags,
    • aliases,
    • fields calculations.
  • eventually check the CIM compliance of your sourcetypes.

all these configurations will be in props.conf and transforms.conf files that you can put in one or more Technical Add-Ons (TAs).

You can find documentazione about this in:

https://docs.splunk.com/Documentation/Splunk/8.1.2/Data/WhatSplunkcanmonitor

https://docs.splunk.com/Documentation/Splunk/8.1.2/Admin/Configurationparametersandthedatapipeline

https://docs.splunk.com/Documentation/CIM/4.18.0/User/Overview

Ciao.

Giuseppe

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...