Re: Indexing a syslog file - doesnt give expected ...

splunker12er · ‎03-14-2014

Raw Logs:

Fri Mar 14 11:16:16 2014$SERVICEALERT$HOST1$SERVICE1$OK$PROCS OK: 1 process OK
Fri Mar 14 11:17:11 2014$HOSTALERT$HOST2$SERVICE2$WARNING$PROCS OK: 1 process WARNING 
Fri Mar 14 11:18:12 2014$HOSTEALERT$HOST3$SERVICE3$OK$PROCS OK: 1 process OK
Fri Mar 14 11:19:14 2014$SERVICEALERT$HOST4$SERVICE4$CRITICAL$PROCS OK: 1 process CRITICAL

I wanted to index the above _raw log with fields: "TIMESTAMP" ,"ALERTTYPE" ,"HOSTNAME" ,"SERVICENAME" ,"STATUS" ,"Description"

I set the props.conf & transforms.conf as below:

props.conf

[custom]
REPORT-search = extract_custom
SHOULD_LINEMERGE = false

transforms.conf

[custom]
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::custom

[extract_custom]
DELIMS = "$"
FIELDS = "TIMESTAMP"$"ALERTTYPE"$"HOSTNAME"$"SERVICENAME"$"STATUS"$"Description"

I couldn't get the exptected output , am i missing something?

splunker12er · ‎03-14-2014

I got the answer:

I made a mistake in transforms.conf - Below is the corercted one. ',' and not '$'

[custom]
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::custom

[extract_custom]
DELIMS = "$"
FIELDS = "TIMESTAMP","ALERTTYPE","HOSTNAME","SERVICENAME","STATUS","Description"

Indexing a syslog file - doesnt give expected output

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

Announcing Modern Navigation: A New Era of Splunk User Experience

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

Join the Conversation