Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Unable to use regex in monitor stanza in inputs

deepak02
Path Finder
‎06-08-2017 01:36 PM

Hi,

Please help me troubleshoot.

WHAT I NEED: I have to assign sourcetypes based on the log file being read into Splunk.

The mapping I am supposed to use is given below,
(Please click on file at end of question to view clearly)
alt text

WHAT IS MY ISSUE: The logs are not getting uploaded into Splunk (maybe because regex is not allowed in monitor://).

WHAT I HAVE USED:
The inputs.conf I am using is as given below,

[monitor://cib\logs\httpd\(inf_)?(un)?mana[\w\d-.]*_access_log]
disabled = false
index = cibr
recursive = true
sourcetype = app:WRWFP:infaccess


[monitor://cib\logs\httpd\(inf_)?(un)?mana[\w\d-.]*_error_log]
disabled = false
index = cibr
recursive = true
sourcetype = app:WRWFP:inferror


[monitor://cib\logs\httpd\(inf_)?(un)?mana[\w\d-.]*_direct_access_log]
disabled = false
index = cibr
recursive = true
sourcetype = app:WRWFP:infdirectaccess


[monitor://cib\logs\httpd\(inf_)?(un)?mana[\w\d-.]*_perf_log]
disabled = false
index = cibr
recursive = true
sourcetype = app:WRWFP:infperf



[monitor://cib\logs\WebLogs\retailCustomerProfile-Audit-(un)?mana[\w\d-.]*log]
disabled = false
index = cibr
recursive = true
sourcetype = app:WRWFP:jvmaudit



[monitor://cib\logs\WebLogs\retailCustomerProfile-(un)?mana[\w\d-.]*log]
disabled = false
index = cibr
recursive = true
sourcetype = app:WRWFP:jvm


[monitor://cib\logs\WebLogs\retailCustomerProfile-Performance-(un)?mana[\w\d-.]*log]
disabled = false
index = cibr
recursive = true
sourcetype = app:WRWFP:jvmperf

Thanks,
Deepak

Tags (1)
Preview file
60 KB
0 Karma
Reply

micahkemp
Champion
‎06-08-2017 03:07 PM

One possible solution, if all else fails, is to bring everything in as one sourcetype, then modify the sourcetype at index time via a transform.

inputs.conf:

[montitor:///<your path]
sourcetype = tempsourcetype

props.conf:

[tempsourcetype]
TRANSFORMS-set_st = set_st_infaccess,set_st_inferror

transforms.conf:

[set_st_infaccess]
REGEX = cib\logs\httpd\(inf_)?(un)?mana[\w\d-.]*_access_log$
SOURCE_KEY = MetaData:Source
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::app:WRWFP:infaccess

[set_st_inferror]
REGEX = cib\logs\httpd\(inf_)?(un)?mana[\w\d-.]*_error_log$
SOURCE_KEY = MetaData:Source
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::app:WRWFP:inferror

You would create one transform per source regex/sourcetype combination.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk, and empower your SOC to reach new heights! Duration: 1 hour  Prepare to ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...