Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can someone help me on how to parse the whole log file and get each line parsed and indexed in one single index?

Tufail
Observer
‎10-13-2022 04:48 AM

Hi,
I want to use Splunk, but not sure where to start, i am new to it.


I have a situation where in, I have a log file that has all sort of logs, say category1 catergory2 and category3 etc. logs. I have dedicated regex parsers for each category say parser1 parser2 and parser3. One single log line would match to one of the parser only. If there is no suitable parser i.e. no match found, the line is not eligible to be indexed.
I want it all to happen before indexing. The log source could be either a log file or a stream of logs.
Can someone help me on how to parse the whole log file and get each line parsed and indexed in one single index, say myidx?
I understand I will have to deploy props.conf and transforms.conf, but how to configure these files to achieve this. Please help or suggest better way.
TIA

sample log lines.
1.
Sep 01 23:43:47 test_device001 test_device001 default default-log [test_domain][0x0001][mp][alert] mp(Rrocessor): trans(53)[request][109.2.x.z] gtid(127d3b333052): event((test.xsl) Transaction Initiated) TestURI(my/mapped/url) Size(0) Node((test_domain)) userID(test_uid)

2.
Sep 05 23:43:47 test_device001 test_device001 default default-log [test_domain][0x0001][mp][alert] mp(Rrocessor): trans(53)[request][109.2.x.z] gtid(127d3b33305): (set-client-idy-head.xsl)*** P O N O D E T<entry><url event((test.xsl) Transaction Initiated) TestURI(my/mapped/url) <http-method>GET</http-method>

3.
Sep 04 23:43:47 test_device001 test_device001 default default-log [test_domain][0x0001][mp][alert] mp(Rrocessor): trans(53)[request][109.2.x.z] gtid(127d3b333052): *** NODETYPE(SS) ***FLOW(HTTP{->HTTP) ***OUTG(mysite.test.com)

 

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-14-2022 06:24 AM

To answer the question in the title, that is the normal process.  Each line of an input stream is parsed and indexed into a single index.

To answer the question in the message, yes, you can keep some lines and discard others using transforms.  Splunk documents the procedure at https://docs.splunk.com/Documentation/Splunk/9.0.1/Forwarding/Routeandfilterdatad#Keep_specific_even...and there are answers on the topic, including a good one at https://community.splunk.com/t5/Getting-Data-In/Filtering-events-using-NullQueue/m-p/66392

In this case, you'd need 4 transforms - one for each category to send the matches to indexQueue and the fourth to send other events to nullQueue.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...