Reporting

Hmail Logfile Help

jkat54
SplunkTrust
SplunkTrust

Hi,

I need to take this type of one line log entries and format them

"SMTPD" 2056 32922 "2012-07-24 13:01:00.097" "172.0.0.1" "SENT: 220 blah.com ESMTP"

I think those are tabs.

I want splunk to create table with the following fields/columns anytime an eventsource="SMTP"
FIELDS = Type,Number,MSG_ID,Date,IP,Message

I tried putting this in props.conf
[smtp]
DELIMS = "/t"
FIELDS = Type,Number,MSG_ID,Date,IP,MSG

This is a windows installation.

Tags (2)
0 Karma
1 Solution

Ayn
Legend

The direction of your slash is wrong. It should be a backslash, not a forward slash.

Also, these settings go as a transform in transforms.conf. This transform is then referred to from props.conf. Something like this.

props.conf:

[smtp]
REPORT-smtp = getsmtpfields

transforms.conf:

[getsmtpfields]
DELIMS = "\t"
FIELDS = Type,Number,MSG_ID,Date,IP,MSG

View solution in original post

Ayn
Legend

The direction of your slash is wrong. It should be a backslash, not a forward slash.

Also, these settings go as a transform in transforms.conf. This transform is then referred to from props.conf. Something like this.

props.conf:

[smtp]
REPORT-smtp = getsmtpfields

transforms.conf:

[getsmtpfields]
DELIMS = "\t"
FIELDS = Type,Number,MSG_ID,Date,IP,MSG

jkat54
SplunkTrust
SplunkTrust

Just to add to this, i still had to add the table command to my search "table Type,Number,MSG_ID,Date,IP,MSG" and then i got exactly what I was looking for. Couldnt have done it without Ayn though. Thanks Ayn!

0 Karma
Get Updates on the Splunk Community!

3 Ways to Make OpenTelemetry Even Better

My role as an Observability Specialist at Splunk provides me with the opportunity to work with customers of ...

What's New in Splunk Cloud Platform 9.2.2406?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2406 with many ...

Enterprise Security Content Update (ESCU) | New Releases

In August, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security ...