Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

use transforms.conf or props.conf to convert multi line event to single event on forwarder level to send external to Splunk

ssyed2009
New Member
‎07-17-2018 11:09 AM

I would like to convert an event similar to the one below to be a single event when sending it out to an external Syslog server

time: 20180717112345
dn: uid=123,ou=employees,ou=ddd,ou=ddd,o=ddd,dc=ddd,dc=ddd
changetype: modify
replace: userPassword

userPassword: #####

replace: modifiersName
modifiersName: uid=ddd,ou=ddd,ou=ddd,ou=ddd,o=ddd,dc=ddd,

dc=ddd

replace: modifyTimestamp

modifyTimestamp: 20180717112345Z

replace: accountUnlockTime

replace: passwordRetryCount

passwordRetryCount: 0

replace: retryCountResetTime

replace: pwdFailureTime

replace: pwdAccountLockedTime

0 Karma
Reply

CarsonZa
Contributor
‎07-17-2018 11:25 AM

a uf will ignore props and transforms, you will need a heavy forwarder on your syslog server.

0 Karma
Reply

ssyed2009
New Member
‎07-17-2018 11:32 AM

I have a heavy forwarder on the rsyslog server but the rsyslog is taking each line as a separate event

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...