Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is there a way to forward parsed logs in ELK Stack to Splunk?

ganesh1793
Engager
‎09-26-2018 06:43 AM

Hello,

We have integrated ELK Stack with our application(DNS Firewall) previously for forensics.Now, we want to replace it with Splunk. But we don't know how to parse the logs in the form as we have parsed them in ELK Stack. Is there a way to forward parsed logs in ELK to Splunk?

We have parsed the logs In the following format: 

Time    _source
September 26th 2018, 19:04:56.097   log_category:info dnsfw_method:QNAME @timestamp:September 26th 2018, 19:04:56.097 rpz:rpz timestamp:26-Sep-2018 19:04:55.243 path:/var/lib/bind/rpz.log clientipaddr:172.16.6.69 quried_domain:ssp.adriver.ru client:client qdomain:ssp.adriver.ru method:PASSTHRU rewritten:ssp.adriver.ru.whitelist.allow src_port:64707 @version:1 rewrite:rewrite tags:_grokparsefailure message:26-Sep-2018 19:04:55.243 rpz: info: client 172.16.6.69#64707 (ssp.adriver.ru): rpz QNAME PASSTHRU rewrite ssp.adriver.ru via ssp.adriver.ru.whitelist.allow via:via host:dnsfw01 rpz2:rpz _id:PwMWFmYB8oYdXOCf-GXG _type:doc _index:logstash-rpzlog-20

JSON
 @timestamp         September 26th 2018, 19:04:56.097
t  @version         1
t  _id          PwMWFmYB8oYdXOCf-GXG
t  _index           logstash-rpzlog-2018.09.26
#  _score            - 
t  _type            doc
t  client           client
t  clientipaddr         172.16.6.69
t  dnsfw_method         QNAME
t  host         dnsfw01
t  log_category         info
t  message          26-Sep-2018 19:04:55.243 rpz: info: client 172.16.6.69#64707 (ssp.adriver.ru): rpz QNAME PASSTHRU rewrite ssp.adriver.ru via ssp.adriver.ru.whitelist.allow
t  method           PASSTHRU
t  path         /var/lib/bind/rpz.log
t  qdomain          ssp.adriver.ru
t  quried_domain            ssp.adriver.ru
t  rewrite          rewrite
t  rewritten            ssp.adriver.ru.whitelist.allow
t  rpz          rpz
t  rpz2         rpz
t  src_port         64707
t  tags         _grokparsefailure
t  timestamp            26-Sep-2018 19:04:55.243
t  via          via
Tags (2)
Reply

anthonymelita
Contributor
‎04-17-2020 05:46 PM

It looks like you are using colon as your key:value delimiter. In that case you can send the logs in the exiting format to Splunk and configure delimiter extraction.
See https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Exampleconfigurationsusingfieldtransfo...

0 Karma
Reply

codebuilder
Influencer
‎04-17-2020 09:26 AM

Yes. There is an app designed specifically for this.

https://splunkbase.splunk.com/app/4175/

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma
Reply

highsplunker
Contributor
‎04-05-2020 06:19 AM

Hi @ganesh1793

Did you find the solution?
I guess I have a similar problem.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...