Getting Data In
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Is there a way to forward parsed logs in ELK Stack...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is there a way to forward parsed logs in ELK Stack to Splunk?
ganesh1793
Engager
09-26-2018
06:43 AM
Hello,
We have integrated ELK Stack with our application(DNS Firewall) previously for forensics.Now, we want to replace it with Splunk. But we don't know how to parse the logs in the form as we have parsed them in ELK Stack. Is there a way to forward parsed logs in ELK to Splunk?
We have parsed the logs In the following format:
Time _source
September 26th 2018, 19:04:56.097 log_category:info dnsfw_method:QNAME @timestamp:September 26th 2018, 19:04:56.097 rpz:rpz timestamp:26-Sep-2018 19:04:55.243 path:/var/lib/bind/rpz.log clientipaddr:172.16.6.69 quried_domain:ssp.adriver.ru client:client qdomain:ssp.adriver.ru method:PASSTHRU rewritten:ssp.adriver.ru.whitelist.allow src_port:64707 @version:1 rewrite:rewrite tags:_grokparsefailure message:26-Sep-2018 19:04:55.243 rpz: info: client 172.16.6.69#64707 (ssp.adriver.ru): rpz QNAME PASSTHRU rewrite ssp.adriver.ru via ssp.adriver.ru.whitelist.allow via:via host:dnsfw01 rpz2:rpz _id:PwMWFmYB8oYdXOCf-GXG _type:doc _index:logstash-rpzlog-20
JSON
@timestamp September 26th 2018, 19:04:56.097
t @version 1
t _id PwMWFmYB8oYdXOCf-GXG
t _index logstash-rpzlog-2018.09.26
# _score -
t _type doc
t client client
t clientipaddr 172.16.6.69
t dnsfw_method QNAME
t host dnsfw01
t log_category info
t message 26-Sep-2018 19:04:55.243 rpz: info: client 172.16.6.69#64707 (ssp.adriver.ru): rpz QNAME PASSTHRU rewrite ssp.adriver.ru via ssp.adriver.ru.whitelist.allow
t method PASSTHRU
t path /var/lib/bind/rpz.log
t qdomain ssp.adriver.ru
t quried_domain ssp.adriver.ru
t rewrite rewrite
t rewritten ssp.adriver.ru.whitelist.allow
t rpz rpz
t rpz2 rpz
t src_port 64707
t tags _grokparsefailure
t timestamp 26-Sep-2018 19:04:55.243
t via via
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
anthonymelita
Contributor
04-17-2020
05:46 PM
It looks like you are using colon as your key:value delimiter. In that case you can send the logs in the exiting format to Splunk and configure delimiter extraction.
See https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Exampleconfigurationsusingfieldtransfo...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
codebuilder
Influencer
04-17-2020
09:26 AM
Yes. There is an app designed specifically for this.
https://splunkbase.splunk.com/app/4175/
----
An upvote would be appreciated and Accept Solution if it helps!
An upvote would be appreciated and Accept Solution if it helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
highsplunker
Contributor
04-05-2020
06:19 AM
Hi @ganesh1793
Did you find the solution?
I guess I have a similar problem.
Get Updates on the Splunk Community!
Developer Spotlight with Brett Adams
In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...
Index This | What can you do to make 55,555 equal 500?
April 2025 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with this ...
Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...
In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
