Getting Data In

Creating Splunk App to parse syslogs

hm222jy
Engager

I would like to find a detaild tutorial on how to create a splunk app to parse syslogs, with pre-defined field names, not the automatic key/value that splunk is able to detect.

I have syslogs with different log types, I wonder if there is some documentation/tutorial on this. Can anyone point in the right direction? I am new to splunk. Thanks.

0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @hm222jy,

to do this you have the following items:

  • identify each type pf syslog fpr your flows,
  • group all the one with the same structure,
  • create a sourcetype for each type defining the specifications of each one:
    • event breaks,
    • timestamp,
    • field extractions,
    • eventtypes,
    • tags,
    • aliases,
    • fields calculations.
  • eventually check the CIM compliance of your sourcetypes.

all these configurations will be in props.conf and transforms.conf files that you can put in one or more Technical Add-Ons (TAs).

You can find documentazione about this in:

https://docs.splunk.com/Documentation/Splunk/8.1.2/Data/WhatSplunkcanmonitor

https://docs.splunk.com/Documentation/Splunk/8.1.2/Admin/Configurationparametersandthedatapipeline

https://docs.splunk.com/Documentation/CIM/4.18.0/User/Overview

Ciao.

Giuseppe

View solution in original post

hm222jy
Engager

Grazie Giuseppe.  The documentation sometimes is hard to digest for newbies but will try to go through it. 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @hm222jy,

try to have the documentation of the Admin Training, or (better) follow this training.

It's also useful to follow the Sales Engineers I and II Training Courses, where log ingestion is described .

Ciao and happy splunking.

Giuseppe

gcusello
SplunkTrust
SplunkTrust

Hi @hm222jy,

to do this you have the following items:

  • identify each type pf syslog fpr your flows,
  • group all the one with the same structure,
  • create a sourcetype for each type defining the specifications of each one:
    • event breaks,
    • timestamp,
    • field extractions,
    • eventtypes,
    • tags,
    • aliases,
    • fields calculations.
  • eventually check the CIM compliance of your sourcetypes.

all these configurations will be in props.conf and transforms.conf files that you can put in one or more Technical Add-Ons (TAs).

You can find documentazione about this in:

https://docs.splunk.com/Documentation/Splunk/8.1.2/Data/WhatSplunkcanmonitor

https://docs.splunk.com/Documentation/Splunk/8.1.2/Admin/Configurationparametersandthedatapipeline

https://docs.splunk.com/Documentation/CIM/4.18.0/User/Overview

Ciao.

Giuseppe

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...