Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Is there a way to forward parsed logs in ELK Stack to Splunk?

ganesh1793
Engager
‎09-26-2018 06:43 AM

Hello,

We have integrated ELK Stack with our application(DNS Firewall) previously for forensics.Now, we want to replace it with Splunk. But we don't know how to parse the logs in the form as we have parsed them in ELK Stack. Is there a way to forward parsed logs in ELK to Splunk?

We have parsed the logs In the following format: 

Time    _source
September 26th 2018, 19:04:56.097   log_category:info dnsfw_method:QNAME @timestamp:September 26th 2018, 19:04:56.097 rpz:rpz timestamp:26-Sep-2018 19:04:55.243 path:/var/lib/bind/rpz.log clientipaddr:172.16.6.69 quried_domain:ssp.adriver.ru client:client qdomain:ssp.adriver.ru method:PASSTHRU rewritten:ssp.adriver.ru.whitelist.allow src_port:64707 @version:1 rewrite:rewrite tags:_grokparsefailure message:26-Sep-2018 19:04:55.243 rpz: info: client 172.16.6.69#64707 (ssp.adriver.ru): rpz QNAME PASSTHRU rewrite ssp.adriver.ru via ssp.adriver.ru.whitelist.allow via:via host:dnsfw01 rpz2:rpz _id:PwMWFmYB8oYdXOCf-GXG _type:doc _index:logstash-rpzlog-20

JSON
 @timestamp         September 26th 2018, 19:04:56.097
t  @version         1
t  _id          PwMWFmYB8oYdXOCf-GXG
t  _index           logstash-rpzlog-2018.09.26
#  _score            - 
t  _type            doc
t  client           client
t  clientipaddr         172.16.6.69
t  dnsfw_method         QNAME
t  host         dnsfw01
t  log_category         info
t  message          26-Sep-2018 19:04:55.243 rpz: info: client 172.16.6.69#64707 (ssp.adriver.ru): rpz QNAME PASSTHRU rewrite ssp.adriver.ru via ssp.adriver.ru.whitelist.allow
t  method           PASSTHRU
t  path         /var/lib/bind/rpz.log
t  qdomain          ssp.adriver.ru
t  quried_domain            ssp.adriver.ru
t  rewrite          rewrite
t  rewritten            ssp.adriver.ru.whitelist.allow
t  rpz          rpz
t  rpz2         rpz
t  src_port         64707
t  tags         _grokparsefailure
t  timestamp            26-Sep-2018 19:04:55.243
t  via          via
Tags (2)
Reply

anthonymelita
Contributor
‎04-17-2020 05:46 PM

It looks like you are using colon as your key:value delimiter. In that case you can send the logs in the exiting format to Splunk and configure delimiter extraction.
See https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Exampleconfigurationsusingfieldtransfo...

0 Karma
Reply

codebuilder
Influencer
‎04-17-2020 09:26 AM

Yes. There is an app designed specifically for this.

https://splunkbase.splunk.com/app/4175/

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma
Reply

highsplunker
Contributor
‎04-05-2020 06:19 AM

Hi @ganesh1793

Did you find the solution?
I guess I have a similar problem.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...