syslog-ng props and transforms conf for ingesting ...

chrisratliff95 · ‎12-17-2019

Hi!

I'm trying to ingest metric data from a Virtual Machine Linux box, using syslog-ng and Splunk Universal Forwarder. It's for an application, so on my windows box I'm trying to make the configuration files for transforms and props in /etc/apps/app_name/local directory. It's currently working for another box with rsyslog instead of syslog-ng. For some reason it isn't with syslog-ng.

transforms.conf

[syslog-ng_stats]
INGEST_EVAL = metric_name=Metric

[object_extraction-ng]
DELIMS=";"
FIELDS=Date,Hostname,Object,Id,Instance,Status,Type,Metric
WRITE_META = true

[metric-schema:extract_stats_metrics-ng]
METRIC-SCHEMA-MEASURES-ngstats=Hostname,Object,Id,Instance,Status,Type,Metric

props.conf

[syslog-ng-ctl]
TRANSFORMS-fieldvalue=field_extraction
TRANSFORMS-metricslog=syslog-ng_stats
TRANSFORMS-object=object_extraction-ng
METRIC-SCHEMA-TRANSFORMS=metric-schema:extract_stats_metrics-ng

I'm pretty sure these are the issue as to why it isn't working, but I don't know what I've done wrong.

I hope I explained this properly. If you need more information, let me know. I would greatly appreciate some help on this, I'm stuck.

syslog-ng props and transforms conf for ingesting data

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Join the Conversation