Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Hunk - assigning sourcetype

jwalzerpitt
Influencer
‎11-26-2014 07:56 AM

I create two virtual indexes within Hunk that reads from two separate HDFS directory. One is for Cisco ASA logs, and the other is for IIS logs. Each HDFS directory contains a bunch of *.log files. Clicking on 'search' for either index starts to index/read all of the log files, but the sourcetype is set wrong for both indexes.

How do I assign the correct sourcetype to each index?

Thx

Tags (3)
0 Karma
Reply

jwalzerpitt
Influencer
‎12-01-2014 01:08 PM

That worked. Just had to change the search to:

index="web_logs" source="/logs/web/ex140401.log"

Once I did that, I got an "Interesting Fields" list, with the parsed out fields.

So that applies to searching individual log files (basically using 'Exploring Data'). How do I apply the new manual-iis to all IIS log files when I go in to search the entire virtual index? When I click 'search' there, the files aren't being parsed per the IIS sourcetype.

Thx

0 Karma
Reply

Ledion_Bitincka
Splunk Employee
Splunk Employee
‎12-01-2014 01:24 PM

Great! Now, simply replace the single source stanza with the following in order to apply the "new-iis" sourcetype to all the files under /logs/web/

   /opt/hunk/etc/apps/search/local/props.conf
   [source::/logs/web/...]
   sourcetype = new-iis
   priority = 10
Reply

jwalzerpitt
Influencer
‎12-01-2014 01:38 PM

Awesome!! That worked...

Now the last issue I'm wrestling with is that the ASA logs are not being properly identified even when I select cisco : asa as the sourcetype. Here's a sample ASA log:

Apr 10 06:29:58 1.1.1.1 %ASA-7-106100: access-list np-itf15-FW-RULE-1 permitted udp FW-RULE-2/2.2.2.2(615) -> FW-RULE-3/3.3.3.3(111) hit-cnt 1 first hit [0x7eb55e24, 0xc85ef7a5]

Switching between cisco : asa and System Defaults doesn't make a difference.

Do I need to build a custom Cisco ASA in props and transform.conf for Cisco ASA like IIS?

0 Karma
Reply

jwalzerpitt
Influencer
‎11-26-2014 12:58 PM

Thx - let me add and test again

0 Karma
Reply

jwalzerpitt
Influencer
‎11-26-2014 08:37 AM

After some additional review, for the IIS logs I see they're being tagged as a sourcetype of IIS, but they're not being parsed correctly. Any ideas on how to troubleshoot that issue?

The Cisco ASA logs aren't being identified as the correct sourcetype at all.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security: Your Command Center for PCI DSS Compliance

Every security professional knows the drill. The PCI DSS audit is approaching, and suddenly everyone's asking ...

Developer Spotlight with Guilhem Marchand

From Splunk Engineer to Founder: The Journey Behind TrackMe    After spending over 12 years working full time ...

Cisco Catalyst Center Meets Splunk ITSI: From 'Payments Are Down' to Root Cause in ...

The Problem: When Networks and Services Don't Talk Payment systems fail at a retail location. Customers are ...