Re: Indexing a syslog file - doesnt give expected ...

splunker12er · ‎03-14-2014

Raw Logs:

Fri Mar 14 11:16:16 2014$SERVICEALERT$HOST1$SERVICE1$OK$PROCS OK: 1 process OK
Fri Mar 14 11:17:11 2014$HOSTALERT$HOST2$SERVICE2$WARNING$PROCS OK: 1 process WARNING 
Fri Mar 14 11:18:12 2014$HOSTEALERT$HOST3$SERVICE3$OK$PROCS OK: 1 process OK
Fri Mar 14 11:19:14 2014$SERVICEALERT$HOST4$SERVICE4$CRITICAL$PROCS OK: 1 process CRITICAL

I wanted to index the above _raw log with fields: "TIMESTAMP" ,"ALERTTYPE" ,"HOSTNAME" ,"SERVICENAME" ,"STATUS" ,"Description"

I set the props.conf & transforms.conf as below:

props.conf

[custom]
REPORT-search = extract_custom
SHOULD_LINEMERGE = false

transforms.conf

[custom]
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::custom

[extract_custom]
DELIMS = "$"
FIELDS = "TIMESTAMP"$"ALERTTYPE"$"HOSTNAME"$"SERVICENAME"$"STATUS"$"Description"

I couldn't get the exptected output , am i missing something?

splunker12er · ‎03-14-2014

I got the answer:

I made a mistake in transforms.conf - Below is the corercted one. ',' and not '$'

[custom]
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::custom

[extract_custom]
DELIMS = "$"
FIELDS = "TIMESTAMP","ALERTTYPE","HOSTNAME","SERVICENAME","STATUS","Description"

Indexing a syslog file - doesnt give expected output

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!