Re: Indexing a syslog file - doesnt give expected ...

splunker12er · ‎03-14-2014

Raw Logs:

Fri Mar 14 11:16:16 2014$SERVICEALERT$HOST1$SERVICE1$OK$PROCS OK: 1 process OK
Fri Mar 14 11:17:11 2014$HOSTALERT$HOST2$SERVICE2$WARNING$PROCS OK: 1 process WARNING 
Fri Mar 14 11:18:12 2014$HOSTEALERT$HOST3$SERVICE3$OK$PROCS OK: 1 process OK
Fri Mar 14 11:19:14 2014$SERVICEALERT$HOST4$SERVICE4$CRITICAL$PROCS OK: 1 process CRITICAL

I wanted to index the above _raw log with fields: "TIMESTAMP" ,"ALERTTYPE" ,"HOSTNAME" ,"SERVICENAME" ,"STATUS" ,"Description"

I set the props.conf & transforms.conf as below:

props.conf

[custom]
REPORT-search = extract_custom
SHOULD_LINEMERGE = false

transforms.conf

[custom]
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::custom

[extract_custom]
DELIMS = "$"
FIELDS = "TIMESTAMP"$"ALERTTYPE"$"HOSTNAME"$"SERVICENAME"$"STATUS"$"Description"

I couldn't get the exptected output , am i missing something?

splunker12er · ‎03-14-2014

I got the answer:

I made a mistake in transforms.conf - Below is the corercted one. ',' and not '$'

[custom]
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::custom

[extract_custom]
DELIMS = "$"
FIELDS = "TIMESTAMP","ALERTTYPE","HOSTNAME","SERVICENAME","STATUS","Description"

Indexing a syslog file - doesnt give expected output

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Automating Threat Operations and Threat Hunting with Recorded Future

Keep the Learning Going with the New Best of .conf Hub

Splunk Community Badges!

Join the Conversation