Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Props/ Transforms problems - Meraki

jgorman_THG
Explorer
‎04-03-2017 08:46 PM

Hello everyone!

I'm trying to use props/ transforms to set a sourcetype and change the hostname of my devices. Currently they are coming in as sourcetype=syslog

My event looks like this:

Apr 3 22:37:36 10.77.265.178 1 1491277141.711671730 NAME_LOC_FW1 events Site-to-site VPN: notification INVALID-ID-INFORMATION received in informational exchange.

I want to extract "NAME_LOC_FW1" and change the sourcetype to meraki as well as change the host to "NAME_LOC_FW1"

I have the following props:

[syslog]
TRANFORMS-changesourcetypes = NAME_LOC_FW1

[syslog]
TRANSFORMS-changehost = NAME_LOC_FW1_HOST

And the following transforms:

[NAME_LOC_FW1]
Regex = (NAME_LOC_FW1)
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::meraki

[NAME_LOC_FW1_HOST]
DEST_KEY = MetaData:Host
REGEX = (?)(NAME_LOC_FW1)
FORMAT = host::$1

This isn't working... Can anyone tell me what I'm doing wrong?

Also, this is implemented on a Heavy Forwarder.

Thanks a lot!

JG

0 Karma
Reply

myron_davis
Path Finder
‎08-31-2017 03:29 PM

What about configuring meraki to send on a different port than 514 and just force all incoming data on that port to type meraki?

0 Karma
Reply

DalJeanis
Legend
‎04-04-2017 09:34 AM

Assuming that the value in the _raw is literally NAME_LOC_FW1 and you literally want the literal NAME_LOC_FW1 as your hostname...

 ### props.conf
[syslog]
TRANFORMS-fw1 = NAME_LOC_FW1,NAME_LOC_FW1_HOST

##transforms.conf     
[NAME_LOC_FW1]
Regex = (NAME_LOC_FW1)
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::meraki

[NAME_LOC_FW1_HOST]
DEST_KEY = MetaData:Host
REGEX = (NAME_LOC_FW1)
FORMAT = NAME_LOC_FW1

Warning - those stanzas will redirect any event that has that literal anywhere in the event. If that is not the behavior that you would like, then the regex should be made more specific.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-04-2017 05:00 AM

Hi jgorman_THG,
I'm not sure about your regex, try with a different one, something like this

\w+\s\d+\s\d+:\d+:\d+\s\d+\.\d+\.\d+\.\d+\s\d+\s\d+\.\d+\s(?<host>[^ ]*)

you can try it on https://regex101.com/r/g9PJJD/1

Bye.
Giuseppe

0 Karma
Reply

jgorman_THG
Explorer
‎04-04-2017 06:38 AM

Hi Guiseppe!

That didn't seem to work... I agree though, it's probably a regex problem. I'm not super strong in regex...

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-04-2017 09:13 AM

go in regex101.com and insert your log and my regex and verify if it's correct, maybe there's something different in your production logs.
Using the one you inserted in this question the regex is correct.
Bye.
Giuseppe

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2026-2027 SplunkTrust is officially open. If ...