Currently our Sun systems dump all of their authentication logs to the syslog sourcetype.
I want to pull those "auth" entries out of there and put them into a different index I have setup called unix_secure
I have the following files in /opt/splunk/etc/system/local on one of my forwarder systems but it is not working.
Any thoughts?
props.conf
[syslog]
TRANSFORMS-index = AuthRedirect
transforms.conf
[AuthRedirect]
REGEX = auth.
DEST_KEY = _MetaData:Index
FORMAT = unix_secure
This configuration needs to be put into place where the data is parsed, which usually means you'd use it on an indexer. In the case of a forwarder, it will only work on a heavy forwarder. On a LWF/UF, this wouldn't work at all, as almost nothing is parsed on these instances.
Thanks jbsplunk - worked like a charm!
Glad to help! If you found this useful, please feel free to accept and upvote the answer.
This configuration needs to be put into place where the data is parsed, which usually means you'd use it on an indexer. In the case of a forwarder, it will only work on a heavy forwarder. On a LWF/UF, this wouldn't work at all, as almost nothing is parsed on these instances.