Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to Parse and Tag custom application logs before forwarding to Splunk server?

filosv
Engager
‎09-21-2022 08:32 AM

Dear Splunkers,

really sorry for my question , I do feel that reply would be on another thread(couldn't find it), but i try to forward custom application access logs to  Splunk, giving specific tag-name to each column let's say(i would define it by regular expression), sending only "matching" data. I 've already set inputs.conf with the file path, index and sourcetype and successfully see full logs on Splunk search but whole info on event data . Still not sure where to set appropriate configuration(props.conf, tranform.conf, ?) for getting only Invoked Service, Caller IP and Response Code let's say since we are referring to Access Logs. 

0 Karma
Reply

filosv
Engager
‎09-23-2022 08:21 AM

First thanks for your contribution and prompt response. As you might see on the image below there are common access log info like date, time, source IP, duration, response code, which i would like to tag on forwarder side(have no access on Splunk Server), before reaching Splunk server and get rid of unwanted info. What i have only done is adding below lines on my local inputs.conf

index = ....
[monitor://...]
sourcetype = ...
queueSize = 50MB
crcSalt = <SOURCE>
disabled = false

example.JPG

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-23-2022 11:00 AM

I read the OP as wanting to change the data before it is indexed.  I understand now it must be done before sending to the indexers.

If you are using a heavy forwarder then SEDCMD props.conf still is an option.

If you are using Universal Forwarders then there is little the UF can do to modify the data.  Try these untested settings on the UF:

[gr1347yr_access_logs]
force_local_processing = true
SEDCMD-no_foo = s/foo=bar//g

 

---
If this reply helps you, Karma would be appreciated.
Reply

filosv
Engager
‎09-27-2022 09:41 AM

Thanks a lot for your help. Really appreciate it. Got to know how to get rid of unwanted data 😉

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-23-2022 05:27 AM

It would help to see some sample sanitized events, but you may be able to use SEDCMD to eliminate unwanted fields.

props.conf:

[mysourcetype]
SEDCMD-erase_foo = s/foo=bar//

Also, consider using Cribl (cribl.io).

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2026-2027 SplunkTrust is officially open. If ...