Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Getting Data In
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Implement lookup file to replace the "host" field ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Implement lookup file to replace the "host" field value collected from the rsyslog
kvnpichon
Path Finder
06-28-2021
04:26 AM
Hello Splunkers,
I'm collecting Aruba AP (Aruba Access Point) logs from my rsyslog inputs.
I use the Aruba_Networks add-on available on splunk.com to parse the logs.
Actually the Splunk collect the "host" field as the IP address of the AP (host = ip).
I created a lookup associating a hostname to the ip of the AP :
hostname,host
hostname1,ip1
hostname2,ip2
hostname3,ip3
...,...
hostnameN,ipN
The issue I get is I want a "hostname" field and an "ip" field but I have neither of these.
I tried to change my props.conf file :
[(?::){0}aruba*]
LOOKUP-aruba_ap_list=aruba_ap_list host OUTPUTNEW hostname host AS ip
and in my transforms.conf (file exist in the lookup folder) :
[aruba_ap_list]
filename=aruba_ap_list.csv
But the field "hostname" isn't created and the "host" field alias named "ip" isn't created neither.
I don't know what I'm doing wrong.
Can you help me please ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kvnpichon
Path Finder
06-28-2021
05:04 AM
For information this is the props.conf file in the "default" folder (provided by Splunk) :
#
# Aruba Networks Add-on for Splunk
# © Devbusters 2020
#
# File: props.conf
#
# Created: 2019-09-30
# Last updated: 2020-08-26
#
# Default sourcetype for sourcetype renaming
#
[aruba:syslog]
TIME_PREFIX = ^
TIME_FORMAT = %b %-d %H:%M:%S %Y
MAX_TIMESTAMP_LOOKAHEAD = 20
SHOULD_LINEMERGE = true
LINE_BREAKER = ([\n\r]+)
TRUNCATE = 999999
KV_MODE = none
pulldown_type = true
rename = aruba
TRANSFORMS-sourcetypes = aruba_sourcetype_renaming, aruba_kernel_sourcetype_renaming, aruba_httpd_sourcetype_renaming, aruba_fw_visbility_sourcetype_renaming
#
# Renamed sourcetypes
#
[(?::){0}aruba*]
KV_MODE = none
REPORT-aa_aruba_basefields = aruba_basefields
REPORT-aa_aruba_vendor_log_level = aruba_vendor_log_level
REPORT-aa_aruba_message = aruba_message
REPORT-aa_aruba_dvc = aruba_dvc
LOOKUP-aruba_actions = aruba_actions vendor_action OUTPUTNEW action
LOOKUP-aruba_severities = aruba_log_level vendor_log_level OUTPUTNEW log_level
LOOKUP-aruba_events = aruba_events event_id OUTPUTNEW event_description
EVAL-dvc = coalesce(dvc_name,dvc_ip,dvc_host,dvc)
EVAL-dest = coalesce(dest_name,dest_ip,dest_host,dest)
EVAL-src=coalesce(src_name,src_ip,src_host,src)
EVAL-vendor = "Aruba Networks"
EVAL-product = "Aruba OS"
EVAL-vendor_product = "Aruba Networks"
[aruba:aaa]
pulldown_type = false
REPORT-aruba_aaa = aruba_aaa
[aruba:authmgr]
pulldown_type = false
REPORT-aruba_user = aruba_user
REPORT-aruba_traffic = aruba_traffic
REPORT-aruba_authmgr_action = aruba_authmgr_action
REPORT-aruba_src_ip = aruba_src_ip
REPORT-aruba_src_mac = aruba_src_mac
REPORT-aruba_role = aruba_role
REPORT-aruba_reason = aruba_reason
REPORT-aruba_policy = aruba_policy
REPORT-aruba_ssid = aruba_ssid
REPORT-aruba_bssid = aruba_bssid
REPORT-aruba_essid = aruba_essid
REPORT-aruba_method = aruba_method
REPORT-aruba_vlan = aruba_vlan
REPORT-aruba_ap_name = aruba_ap_name
REPORT-aruba_server_group = aruba_server_group
EVAL-transport = lower(transport)
[aruba:cfgm]
pulldown_type = false
[aruba:fpapps]
pulldown_type = false
REPORT-aruba_vlan = aruba_vlan
[aruba:fw_visiblity]
pulldown_type = false
[aruba:httpd]
pulldown_type = false
REPORT-aruba_httpd = aruba_httpd
REPORT-aruba_httpd_src=aruba_httpd_src
REPORT-aruba_httpd_referer = aruba_httpd_referer
REPORT-aruba_uri_path = aruba_uri_path
REPORT-aruba_uri_query = aruba_uri_query
EVAL-url_length = len(url)
[aruba:stm]
pulldown_type = false
REPORT-aruba_stm_ap = aruba_stm_ap
REPORT-aruba_stm_radio = aruba_stm_radio
[aruba:localdb]
pulldown_type = false
REPORT-aruba_sql_query = aruba_sql_query
[aruba:mdns]
pulldown_type = false
REPORT-aruba_mdns_method = aruba_mdns_method
REPORT-aruba_mdns_src_mac = aruba_mdns_src_mac
REPORT-aruba_mdns_src_ip = aruba_mdns_src_ip
REPORT-aruba_mdns_vlan = aruba_mdns_vlan
REPORT-aruba_mdns_role = aruba_mdns_role
REPORT-aruba_mdns_user = aruba_mdns_user
REPORT-aruba_mdns_ap_name = aruba_mdns_ap_name
REPORT-aruba_mdns_ap = aruba_mdns_ap
[aruba:wms]
pulldown_type = false
REPORT-aruba_wms = aruba_wms
REPORT-aruba_wms_change = aruba_wms_change
REPORT-aruba_wms_ap = aruba_wms_ap
REPORT-aruba_wms_additional_info = aruba_wms_additional_info
[aruba:isakmpd]
pulldown_type = false
[aruba:dbsync]
pulldown_type = false
[aruba:sapd]
pulldown_type = false
REPORT-aruba_sapd = aruba_sapd
[aruba:rsyncd]
pulldown_type = false
[aruba:sshd]
pulldown_type = false
[aruba:lldp]
pulldown_type = false
[aruba:kernel]
pulldown_type = false
#
# Sourcetype Fixes
#
[aruba:Visibility]
rename = aruba:fw_visbility
Get Updates on the Splunk Community!
Announcing Scheduled Export GA for Dashboard Studio
We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...
Extending Observability Content to Splunk Cloud
Watch Now!
In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...
