Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Issue filtering specific logs on UF
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Issue filtering specific logs on UF
Hi,
I have recently started building apps on splunk. I am monitoring a log file on the UF , containing logs from various applications and trying to fetch specific alert logs from a containing "VERITAS-COMMAND-CENTRAL-MIB". Below are the files I have configured for the the requirement. Issue is, the logs are getting tagged to a different source type(snmptrapd) instead of the intended one (st_netbackup) . Both my enterprise and UF are on 7.1.4 version.
inputs.conf
[monitor:///var/log/snmptrapd.log]
disabled = 0
index = acn_backup_netbackup_tier1_idx
index = main
host = XX.XX.XX.XX
System level outputs.con
[tcpout:acn-dev1-route-group]
server = xx.xx.xx.xx:9997
props.conf
[source::/var/log/snmptrapd.log]
description = Netbackup log file
TRANSFORMS-set = removeNETSNMPHeader,removeOther
TRANSFORMS-route = parseNetbackup
SEDCMD-community = s/community (\w+)/community *****/g
BREAK_ONLY_BEFORE = \d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}
TIME_FORMAT = %Y-%m-%d %T
TRANSFORMS-customsourcetype = st_netbackup
transforms.conf
[st_netbackup]
REGEX = (!?)VERITAS-COMMAND-CENTRAL-MIB
DEST_KEY = MetaData:Sourcetype
FORMAT = st_netbackup
[removeNETSNMPHeader]
REGEX =NET-SNMP version*
DEST_KEY = queue
FORMAT = nullQueue
[removeOther]
REGEX = (.)
DEST_KEY = queue
FORMAT = nullQueue
[parseNetbackup]
REGEX = (!?)VERITAS-COMMAND-CENTRAL-MIB
DEST_KEY = _TCP_ROUTING
FORMAT = acn-dev1-route-group
Below is the log format as received on the desired index. It would be great to hear any suggestions here.
2020-01-14 04:15:27 ip-xx.xx.xx.xx.ec2.internal [UDP: [xx.xx.xx.xx]:53318->[xx.xx.xx.xx]:162]:
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (753481) 2:05:34.81 SNMPv2-MIB::snmpTrapOID.0 = OID: VERITAS-COMMAND-CENTRAL-MIB::ccError VERITAS-COMMAND-CENTRAL-MIB::alertRecipients = STRING: Splunk Dev VERITAS-COMMAND-CENTRAL-MIB::alertSummary = STRING: 27 Clear Connections To Media Server ec2amaz-akg3cqb Lost VERITAS-COMMAND-CENTRAL-MIB::alertDescription = STRING: Lost contact with media server VERITAS-COMMAND-CENTRAL-MIB::policyName = STRING: Lost Contact with Media Server VERITAS-COMMAND-CENTRAL-MIB::objectType = STRING: VERITAS-COMMAND-CENTRAL-MIB::collectorName = STRING: VERITAS-COMMAND-CENTRAL-MIB::ccHost = STRING: EC2AMAZ-AKG3CQB VERITAS-COMMAND-CENTRAL-MIB::sourceId = STRING: EC2AMAZ-AKG3CQB VERITAS-COMMAND-CENTRAL-MIB::ccObject = STRING: VERITAS-COMMAND-CENTRAL-MIB::sampleData = STRING: VERITAS-COMMAND-CENTRAL-MIB::ccAlertSeverity = STRING: Major VERITAS-COMMAND-CENTRAL-MIB::ccAlertTime = STRING: Tue Jan 14 04:15:27 UTC 2020
host =xx.xx.xx.xxsource = /var/log/snmptrapd.logsourcetype = snmptrapd
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Splunk Community Badges!
How to find the worst searches in your Splunk environment and how to fix them
Share Your Feedback: On Admin Config Service (ACS)!
