@hemant_lnu wrote:
We have one index os_linux which has 2 source type and i see props and transform is written .
can you help me to understand how its working .
| linux:audit |
| Linux_os_syslog |
props.conf
[Linux_os_syslog]
TIME_PREFIX = ^
Tells Splunk to look for the event timestamp at the beginning of the event
TIME_FORMAT = %b %d %H:%M:%S
Tells Splunk what a timestamp looks like
MAX_TIMESTAMP_LOOKAHEAD = 15
How far from TIME_PREFIX the timestamp is allowed to be
SHOULD_LINEMERGE = false
Don't combine lines
LINE_BREAKER = ([\r\n]+)
Events break after a newline (CR and/or LF)
TRUNCATE = 2048
Cut off each event after 2048 characters
TZ = US/Eastern
Event timestamps are expected to be in this time zone
Transforms.conf[linux_audit]
DEST_KEY = MetaData:Sourcetype
REGEX = type=\S+\s+msg=audit
FORMAT = sourcetype::linux:audit
Look for "type=", some text followed by white space, then "msg=audit". If it's found, set the sourcetype field to "linux:audit"
[auditd_node]
REGEX = \snode=(\S+)
FORMAT = host::$1
DEST_KEY = MetaData:Host
Look for "node=" in each event and set the 'host' field to the word that follows it.
---
If this reply helps you, Karma would be appreciated.
