Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I index with regex using props.conf/transforms.conf ?

brianpreston
Path Finder
‎12-08-2015 11:43 AM

I'm trying to put logs which match a regex into a different index ("audit_private") than the one they come in with ("syslog_general_public").

Yet: My logs are all still in the original index, and not "audit_private".

Q: What am I doing wrong here?
Q: How can I see the regex working or not? Right now I'm changing the .conf files, restarting splunk, and watching the search results.

On the indexer:

All these directories exist, are 700, and owned by splunk:
- /misc/cloud2/splunk/
- /misc/cloud2/splunk/hot
- /misc/cloud2/splunk/warm
- /misc/cloud2/splunk/hot/audit_private
- /misc/cloud2/splunk/warm/audit_private

In /opt/splunk/etc/system/local :

inputs.conf: this is how all the logs come in, with their default index

[tcp://:10514]
index = syslog_general_public
sourcetype = syslog
connection_host = dns

indexes.conf: this defines the indexes and where they are stored

[volume:hot]
path = /misc/cloud2/splunk/hot

[volume:cold]
path = /misc/cloud2/splunk/warm

[audit_private]
homePath = volume:hot/audit_private
coldPath = volume:cold/audit_private
thawedPath = /misc/cloud2/splunk/thawed/audit_private

[syslog_general_public]
homePath = volume:hot/syslog_general_public
coldPath = volume:cold/syslog_general_public
thawedPath = /misc/cloud2/splunk/thawed/syslog_general_public

props.conf: points to the regex/transform

[syslog_audit_log_change_index_transform]
TRANSFORMS-syslog_audit_log_change_index = syslog_audit_log_change_index

transforms.conf: the transform! This has the simplest regex.

[syslog_audit_log_change_index]
REGEX = audit_log
DEST_KEY = _MetaData:Index
FORMAT = audit_private

I've also tried adding

WRITE_META = true

...but it didn't seem to make a difference.

Note: Every time I change the regex or props.conf I restart splunk.

This regex is supposed to work on this line:

2015-12-08T14:28:01.740023-05:00 dev-web-1006 audit_log type=USER_END msg=audit(1449602881.734:8461017): user pid=17294 uid=0 auid=0 ses=1243580 msg='op=PAM:session_close acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'

I've also tried more elaborate regex, like 

REGEX = ^[^ ]+\s+\S+\s+audit_log\s+type=\S+\s+msg=audit\(\S+\)\:.*msg=\'.*\'
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
Legend
‎12-08-2015 12:34 PM

Your inputs.conf sets the sourcetype to syslog but in your props.conf you're using [syslog_audit_log_change_index_transform]. This should be [syslog] instead and remember to restart Splunk after the change.

View solution in original post

Reply
Solved! Jump to solution
Solution

MuS
Legend
‎12-08-2015 12:34 PM

Your inputs.conf sets the sourcetype to syslog but in your props.conf you're using [syslog_audit_log_change_index_transform]. This should be [syslog] instead and remember to restart Splunk after the change.

Reply
Solved! Jump to solution

brianpreston
Path Finder
‎12-08-2015 02:45 PM

As MuS mentions, it was definitely my props.conf

  • the name of the stanza should match the sourcetype
  • the sourcetype was set in inputs.conf

I've since added a second transform, and listed them both in that one props.conf stanza:

props.conf:

[syslog]
TRANSFORMS-syslog_audit_log_change_index = syslog_audit_log_change_index, syslog_haproxy_change_index

transforms.conf:

[syslog_audit_log_change_index]
REGEX = audit_log
DEST_KEY = _MetaData:Index
FORMAT = audit_private
WRITE_META = true

[syslog_haproxy_change_index]
REGEX = haproxy\[\d+\]
DEST_KEY = _MetaData:Index
FORMAT = haproxy_private
WRITE_META = true
Reply
Solved! Jump to solution

vya9836
New Member
‎05-15-2016 03:26 PM

2015-12-08T14:28:01.740023-05:00 dev-web-1006 audit_log type=USER_END msg=audit(1449602881.734:8461017): user pid=17294 uid=0 auid=0 ses=1243580 msg='op=PAM:session_close acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'

For this data i am trying to extract res=success' field with some regex but it is not extracting, do you have that regex. if you have please send me.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...