I am trying to break the event based on the realm in the below example.
My sourcetype "Iam_logs" is defined globally to almost 10 sources.
Now i want to edit the extraction for one of the source="/opt/app/logs/openam/authentication.audit.json" only.
I have defined the props like below
[Forgerock]
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
LINE_BREAKER=([\r\n]+)(?=$|{"realm)
disabled = false
pulldown_type = 1
[source::"/opt/app/logs/openam/authentication.audit.json"]
sourcetype=Forgerock
SHOULD_LINEMERGE=false
I have updated this in cluster master and tried to distribute it to the peers.
./splunk validate cluster-bundle
./splunk validate cluster-bundle --check-restart
./splunk show cluster-bundle-status
./splunk apply cluster-bundle
neither the sourcetype reflects ,nor does the events are broke..
Can anyone advice
Sample event :
{"realm":"/humapp","transactionId":"--462e-950b--80936045","component":"Authentication","eventName":"AM-LOGIN-MODULE-COMPLETED","result":"FAILED","entries":[{"moduleId":"LDAP","info":{"authControlFlag":"REQUIRED","moduleClass":"LDAP","failureReason":"INVALID_PASSWORD","ipAddress":"","authLevel":"0"}}],"userId":"id=@gmail.com,ou=user,o=app,ou=services,dc=openam,dc=,dc=com","principal":["@gmail.com"],"timestamp":"2019-07-18T10:16:16.940Z","trackingIds":["ID"],"_id":"2e-950b-0f75fd67a3ae-80936047"}
{"realm":"/humapp","transactionId":"25c79b89-329b-4-
80936045","component":"Authentication","eventName":"AM-LOGIN-COMPLETED","result":"FAILED","entries":[{"moduleId":"LDAP","info":{"failureReason":"INVALID_PASSWORD","ipAddress":"","authLevel":"0"}}],"userId":"id=@gmail.com,ou=user,o=APP,ou=services,dc=openam,dc=DC,dc=com","principal":["@gmail.com"],"timestamp":"2019-07-18T10:16:16.941Z","trackingIds":["13eb1756f23f3a6302"],"_id":"b-0f75fd67a3ae-80936049"}
You can do it like this:
you have to use transform to change the sourcetype like below:
props:
[source::/opt/app/logs/openam/authentication.audit.json]
TRANSFORMS-changesourcetype = newsourcetype
transforms:
[newsourcetype]
REGEX = .
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::Forgerock
You can do it like this:
you have to use transform to change the sourcetype like below:
props:
[source::/opt/app/logs/openam/authentication.audit.json]
TRANSFORMS-changesourcetype = newsourcetype
transforms:
[newsourcetype]
REGEX = .
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::Forgerock