Getting Data In

Props/ Transforms problems - Meraki

jgorman_THG
Explorer

Hello everyone!

I'm trying to use props/ transforms to set a sourcetype and change the hostname of my devices. Currently they are coming in as sourcetype=syslog

My event looks like this:

Apr 3 22:37:36 10.77.265.178 1 1491277141.711671730 NAME_LOC_FW1 events Site-to-site VPN: notification INVALID-ID-INFORMATION received in informational exchange.

I want to extract "NAME_LOC_FW1" and change the sourcetype to meraki as well as change the host to "NAME_LOC_FW1"

I have the following props:

[syslog]
TRANFORMS-changesourcetypes = NAME_LOC_FW1

[syslog]
TRANSFORMS-changehost = NAME_LOC_FW1_HOST

And the following transforms:

[NAME_LOC_FW1]
Regex = (NAME_LOC_FW1)
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::meraki

[NAME_LOC_FW1_HOST]
DEST_KEY = MetaData:Host
REGEX = (?)(NAME_LOC_FW1)
FORMAT = host::$1

This isn't working... Can anyone tell me what I'm doing wrong?

Also, this is implemented on a Heavy Forwarder.

Thanks a lot!

JG

0 Karma

myron_davis
Path Finder

What about configuring meraki to send on a different port than 514 and just force all incoming data on that port to type meraki?

0 Karma

DalJeanis
Legend

Assuming that the value in the _raw is literally NAME_LOC_FW1 and you literally want the literal NAME_LOC_FW1 as your hostname...

 ### props.conf
[syslog]
TRANFORMS-fw1 = NAME_LOC_FW1,NAME_LOC_FW1_HOST

##transforms.conf     
[NAME_LOC_FW1]
Regex = (NAME_LOC_FW1)
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::meraki

[NAME_LOC_FW1_HOST]
DEST_KEY = MetaData:Host
REGEX = (NAME_LOC_FW1)
FORMAT = NAME_LOC_FW1

Warning - those stanzas will redirect any event that has that literal anywhere in the event. If that is not the behavior that you would like, then the regex should be made more specific.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi jgorman_THG,
I'm not sure about your regex, try with a different one, something like this

\w+\s\d+\s\d+:\d+:\d+\s\d+\.\d+\.\d+\.\d+\s\d+\s\d+\.\d+\s(?<host>[^ ]*)

you can try it on https://regex101.com/r/g9PJJD/1

Bye.
Giuseppe

0 Karma

jgorman_THG
Explorer

Hi Guiseppe!

That didn't seem to work... I agree though, it's probably a regex problem. I'm not super strong in regex...

0 Karma

gcusello
SplunkTrust
SplunkTrust

go in regex101.com and insert your log and my regex and verify if it's correct, maybe there's something different in your production logs.
Using the one you inserted in this question the regex is correct.
Bye.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...