Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

use transforms.conf or props.conf to convert multi line event to single event on forwarder level to send external to Splunk

ssyed2009
New Member
‎07-17-2018 11:09 AM

I would like to convert an event similar to the one below to be a single event when sending it out to an external Syslog server

time: 20180717112345
dn: uid=123,ou=employees,ou=ddd,ou=ddd,o=ddd,dc=ddd,dc=ddd
changetype: modify
replace: userPassword

userPassword: #####

replace: modifiersName
modifiersName: uid=ddd,ou=ddd,ou=ddd,ou=ddd,o=ddd,dc=ddd,

dc=ddd

replace: modifyTimestamp

modifyTimestamp: 20180717112345Z

replace: accountUnlockTime

replace: passwordRetryCount

passwordRetryCount: 0

replace: retryCountResetTime

replace: pwdFailureTime

replace: pwdAccountLockedTime

0 Karma
Reply

CarsonZa
Contributor
‎07-17-2018 11:25 AM

a uf will ignore props and transforms, you will need a heavy forwarder on your syslog server.

0 Karma
Reply

ssyed2009
New Member
‎07-17-2018 11:32 AM

I have a heavy forwarder on the rsyslog server but the rsyslog is taking each line as a separate event

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...