Getting Data In

How to parses received multi type syslog logs on indexeurs

New Member


I have a problem for which I have not found a solution despite several hours of research.

I have an indexer on which I receive logs in syslog format.

The logs are all sent by the same computer, but come from different equipment, and are of different types.

It is possible for me to configure the reception of the logs either by an "input" splunk syslog (tcp / udp), or by an input 'forwarder' (splunktcp).

I need to change the index and the sourcetype of the received logs according to their format, so that they applies the right TA.

Some TA have a TRANSFORMS part in their props.conf file that changes sourcetype again.

So I need to receive the logs (different log types), apply the sourcetype and index depending on the log format, apply the correct TA and apply the transformations from the TA, if available.

And I would like if possible that all processing is done on the indexer (without heavyforwarder).

I have already try a transforms : At the main transforms the sourcetype and the index was changes, the logs apply the right TA, but the transforms part of the TA was not apply.

I also try to apply rule and delayed rule for change sourcetype without success. The rules seems to be good, because it work with the same log sample as file input, but seems not with syslog and splunktcp input.

If something have an idee, it's welcome.

Best Regards

0 Karma