Kiwi and Splunk

ihoffmann_wth · ‎06-04-2012

Hi guys,

I've tried several transformations and even field extractor but I can't get Splunk to extract the hostname out of Kiwi's syslog files.

I have created the following transformation: (?i)^[^.]*.\w+\t(?P[^\t]+) using the field extractor but even after nuking the index I can't get it to extract the hostname/IP out of my .txt syslog files, we have 1 for each device rotated once a day.

I even created a new sourcetype with no luck.

Any ideas would be appreciated.

Thank you

Damien_Dallimor · ‎06-04-2012

Being a New Zealander , I feel compelled to answer 🙂

For the "host" field , you might want to consider performing an index time transform (via entrys in props.conf and transforms.conf)

props.conf

[kiwisourcetype]
TRANSFORMS-host=extract-kiwi-host

transforms.conf

[extract-kiwi-host]
DEST_KEY = MetaData:Host
REGEX = (?i)^[^.]*.w+t([^t]+)
FORMAT = host::$1

Can you also post an example from the syslog file so I can check the accuracy of your regex ?

Kiwi and Splunk

Splunk Enterprise Security: Your Command Center for PCI DSS Compliance

Developer Spotlight with Guilhem Marchand

Cisco Catalyst Center Meets Splunk ITSI: From 'Payments Are Down' to Root Cause in ...

Join the Conversation

Kiwi and Splunk

Splunk Enterprise Security: Your Command Center for PCI DSS Compliance

Developer Spotlight with Guilhem Marchand

Cisco Catalyst Center Meets Splunk ITSI: From 'Payments Are Down' to Root Cause in ...