Getting Data In
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

label fields in a flat file

udiggity
New Member
‎03-07-2011 07:11 PM

I have activity files from a vpn radius server and I'd like to label the fields as they go into splunk... I'm not even sure where to look for this info at, can someone help point me in the right direction?

Essentially I have this

03/07/2011","14:06:53","VPN","Start","username","7","common name","IP address","1878", etc and I'd like those fields to become labeled and searchable in the index. Thanks for any help you can give, I'm very new to splunk and fumbling my way through.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jasonnadeau
Explorer
‎03-07-2011 07:36 PM

You can assign a sourcetype to those VPN records and then perform field extraction on those fields you wish. I would first start by assigning the sourcetype field to the inputs.conf that collects those logs. I am assuming they are on disk so you would configure something like this

[monitor:///var/log/VPN/logfile.log]]
sourcetype=VPN_logs

Then use the Interactive field extraction specified here. There are some other ways to extract fields based upon host or based upon regular expressions. I choose to use sourcetype to do my field extractions because I can easily add another host or source of similar log files in the future. Similarly people use object groups in firewalls rather than single IP address entries because its easier to modify in the future.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

jasonnadeau
Explorer
‎03-07-2011 07:36 PM

You can assign a sourcetype to those VPN records and then perform field extraction on those fields you wish. I would first start by assigning the sourcetype field to the inputs.conf that collects those logs. I am assuming they are on disk so you would configure something like this

[monitor:///var/log/VPN/logfile.log]]
sourcetype=VPN_logs

Then use the Interactive field extraction specified here. There are some other ways to extract fields based upon host or based upon regular expressions. I choose to use sourcetype to do my field extractions because I can easily add another host or source of similar log files in the future. Similarly people use object groups in firewalls rather than single IP address entries because its easier to modify in the future.

0 Karma
Reply
Solved! Jump to solution

udiggity
New Member
‎03-09-2011 11:25 AM

Thanks for the reply, sorry I just got back in to the office, so I will try this now. Thanks again, I will let you know how it goes.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing the Expansion of the Splunk Academic Alliance Program

The Splunk Community is more than just an online forum — it’s a network of passionate users, administrators, ...

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Buttercup Games: Further Dashboarding Techniques (Part 7)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top