Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Getting Data into iseries app

jarjoh42
Path Finder
‎01-03-2013 10:54 AM

I have multiple feeds coming into UDP:514, from this input I have ASA, ESA, and as400 data coming in. I have recently installed the iseries app and am having trouble getting data into it. The data coming from UDP:514 all goes to sourcetype= syslog using this stanza in the global settings

ect\system\inputs.conf

[udp://514]
connection_host = ip
index = index_syslog
sourcetype = syslog

in the iseries apps local i want to split out the data that comes from the as400 by changing the sourcetype to [as400]. to do this I attempted to use the stanza in file

etc\apps\iseries\local\inputs.conf

[as400]
search = sourcetype= syslog
disabled = 0

but it did not work. So my question is how do I extract just the as400 data out of my UDP:514 input and change the sourcetype so that the data will flow into the iseries app properly.

Tags (1)
0 Karma
Reply

lguinn2
Legend
‎01-03-2013 12:28 PM

I can well believe that your inputs.conf did not work, as the syntax is not at all what Splunk expects.

You will need to use the props.conf and transforms.conf files to override the sourcetype setting on events arriving from the network port. There is a good example in the documentation on how to override default host assignments. You can use this same idea to reset the sourcetype. Your props.conf and transforms.conf might look like this:

props.conf

[syslog]
TRANSFORMS-syslog1=reset-sourcetype

transforms.conf

[reset-sourcetype]
SOURCE_KEY = MetaData:Host
DEST_KEY = MetaData:Sourcetype
REGEX = (?i)as400
FORMAT = sourcetype::as400

This assumes that your host is being set properly. If it doesn't work, post back - there is another way to do this as well.

Reply

lguinn2
Legend
‎06-17-2013 09:36 AM

I don't know what you mean by "source type being assigned correctly at etc/system level" - it would be helpful if you could show the relevant config file snippets..

0 Karma
Reply

jarjoh42
Path Finder
‎06-17-2013 07:28 AM

I now have the data sorted by host and the as400 sourcetype is being assigned correctly at the ect system level. My problem is now that the app is not seeing the as400 sourcetype and accepting the data. within the app i have tried different configuration with non of them working.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...