Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to parse Radius log files into splunk? What the configuration required for props and transforms

alenseb
Communicator
‎08-30-2012 04:10 AM

Following is the Radius log file format that i have got. Now i need only few of the fields from each instance. Also you can see that 2 instances are separated by a blank line.
So can anyone help with the configuration of prop.conf and transfroms.conf to get the desired output.

Tue Aug 7 00:00:00 2012
User-Name = "xxxxxxxx"
NAS-Port = xxxxxxxx
NAS-IP-Address = xxxxxxxxu
Framed-IP-Address = xxxxxxxx
Filter-Id = " xxxxxxxx "
Class = " xxxxxxxx "
NAS-Identifier = " xxxxxxxx "
Acct-Status-Type = xxxxxxxx
Acct-Delay-Time = 0
Acct-Session-Id = " xxxxxxxx "
Acct-Authentic = RADIUS
Event-Timestamp = 1344286800
NAS-Port-Type = Ethernet
Calling-Station-Id = " xxxxxxxx "
NAS-Port-Id = " xxxxxxxx "
Service-Type = Framed-User
Framed-Protocol = PPP
Acct-Link-Count = 0
RB-Agent-Circuit-Id = " xxxxxxxx "
DSLForum-Agent-Circuit-Id = " xxxxxxxx "
DSLForum-Access-Loop-Encapsulation = ""
Timestamp = 1344286800
OSC-Service-Identifier = "DSLUsers"
Proxy-State = OSC-Extended-Id=40682
Timestamp = 1344286800

Tue Aug 7 00:00:00 2012
User-Name = " xxxxxxxx "
NAS-Port = xxxxxxxx
NAS-IP-Address = xxxxxxxx
Framed-IP-Address = xxxxxxxx
Class = "44620232:04:"
NAS-Identifier = " xxxxxxxx "
Acct-Status-Type = Stop
Acct-Delay-Time = 0
Acct-Input-Octets = 6021
Acct-Output-Octets = 323749
Acct-Session-Id = " xxxxxxxx "
Acct-Authentic = RADIUS
Acct-Session-Time = 1348
Acct-Input-Packets = 53
Acct-Output-Packets = 3187
Acct-Terminate-Cause = User-Request
Acct-Input-Gigawords = 0
Acct-Output-Gigawords = 0
Event-Timestamp = 1344286800
NAS-Port-Type = Ethernet
Calling-Station-Id = " xxxxxxxx "
NAS-Port-Id = " xxxxxxxx "
Service-Type = Framed-User
Framed-Protocol = PPP
Acct-Link-Count = 0
Timestamp = 1344286800
OSC-Service-Identifier = "DSLUsers"
Proxy-State = OSC-Extended-Id=24386
Timestamp = 1344286800

Thanks!!

0 Karma
Reply

beatus
Communicator
‎04-03-2017 09:47 AM

alenseb,
You should avoid the use of SHOULD_LINEMERGE = true and any break_before or break_after parameters. They're not required to do linebreaking correctly in almost all cases. Here's what should work for you:

[radius]
SHOULD_LINEMERGE = false
TIME_FORMAT = %A %B %d %H:%M:%S %Y
TIME_PREFIX = ^
MAX_TIMESTAMP_LOOKAHEAD = 40
LINE_BREAKER = ([\r\n]+)\w{3}\s+\w{3}\s+\d{1,2}\s+\d{2}:\d{2}:\d{2}\s+\d{4}
TRUNCATE = 99999

Reply

sudoritz
Explorer
‎04-03-2017 05:08 PM

Thanks That WORKS 🙂

0 Karma
Reply

lguinn2
Legend
‎09-02-2012 05:13 PM

I think all you need is props.conf - and frankly, I think that the Splunk default settings would work just fine.
Splunk will automatically extract all the fields, as they are in name=value format. But here is a stanza for props.conf that should work as well. Note that this assumes that you set sourcetype=radius in the inputs.conf

And these props.conf entries belong on the indexer (or wherever the events are being parsed).

[radius]
SHOULD_LINEMERGE = true
BREAK_ONLY_BEFORE_DATE = true
TIME_FORMAT = %A %B %d %H:%M:%S %Y
0 Karma
Reply

alenseb
Communicator
‎09-02-2012 10:03 PM

Thanks for the input!!

You can also try the following code, It works as well

SHOULD_LINEMERGE = true
REPORT-vievents = vievents_extractions
BREAK_ONLY_BEFORE = ^(Sun|Mon|Tue|Wed|Thu|Fri|Sat)

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Classroom Chronicles: Training Tales and Testimonials

Welcome to the "Splunk Classroom Chronicles" series, created to help curious, career-minded learners get ...

Access Tokens Page - New & Improved

Splunk Observability Cloud recently launched an improved design for the access tokens page for better ...

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...