Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I index with regex using props.conf/transforms.conf ?

brianpreston
Path Finder
‎12-08-2015 11:43 AM

I'm trying to put logs which match a regex into a different index ("audit_private") than the one they come in with ("syslog_general_public").

Yet: My logs are all still in the original index, and not "audit_private".

Q: What am I doing wrong here?
Q: How can I see the regex working or not? Right now I'm changing the .conf files, restarting splunk, and watching the search results.

On the indexer:

All these directories exist, are 700, and owned by splunk:
- /misc/cloud2/splunk/
- /misc/cloud2/splunk/hot
- /misc/cloud2/splunk/warm
- /misc/cloud2/splunk/hot/audit_private
- /misc/cloud2/splunk/warm/audit_private

In /opt/splunk/etc/system/local :

inputs.conf: this is how all the logs come in, with their default index

[tcp://:10514]
index = syslog_general_public
sourcetype = syslog
connection_host = dns

indexes.conf: this defines the indexes and where they are stored

[volume:hot]
path = /misc/cloud2/splunk/hot

[volume:cold]
path = /misc/cloud2/splunk/warm

[audit_private]
homePath = volume:hot/audit_private
coldPath = volume:cold/audit_private
thawedPath = /misc/cloud2/splunk/thawed/audit_private

[syslog_general_public]
homePath = volume:hot/syslog_general_public
coldPath = volume:cold/syslog_general_public
thawedPath = /misc/cloud2/splunk/thawed/syslog_general_public

props.conf: points to the regex/transform

[syslog_audit_log_change_index_transform]
TRANSFORMS-syslog_audit_log_change_index = syslog_audit_log_change_index

transforms.conf: the transform! This has the simplest regex.

[syslog_audit_log_change_index]
REGEX = audit_log
DEST_KEY = _MetaData:Index
FORMAT = audit_private

I've also tried adding

WRITE_META = true

...but it didn't seem to make a difference.

Note: Every time I change the regex or props.conf I restart splunk.

This regex is supposed to work on this line:

2015-12-08T14:28:01.740023-05:00 dev-web-1006 audit_log type=USER_END msg=audit(1449602881.734:8461017): user pid=17294 uid=0 auid=0 ses=1243580 msg='op=PAM:session_close acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'

I've also tried more elaborate regex, like 

REGEX = ^[^ ]+\s+\S+\s+audit_log\s+type=\S+\s+msg=audit\(\S+\)\:.*msg=\'.*\'
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
Legend
‎12-08-2015 12:34 PM

Your inputs.conf sets the sourcetype to syslog but in your props.conf you're using [syslog_audit_log_change_index_transform]. This should be [syslog] instead and remember to restart Splunk after the change.

View solution in original post

Reply
Solved! Jump to solution
Solution

MuS
Legend
‎12-08-2015 12:34 PM

Your inputs.conf sets the sourcetype to syslog but in your props.conf you're using [syslog_audit_log_change_index_transform]. This should be [syslog] instead and remember to restart Splunk after the change.

Reply
Solved! Jump to solution

brianpreston
Path Finder
‎12-08-2015 02:45 PM

As MuS mentions, it was definitely my props.conf

  • the name of the stanza should match the sourcetype
  • the sourcetype was set in inputs.conf

I've since added a second transform, and listed them both in that one props.conf stanza:

props.conf:

[syslog]
TRANSFORMS-syslog_audit_log_change_index = syslog_audit_log_change_index, syslog_haproxy_change_index

transforms.conf:

[syslog_audit_log_change_index]
REGEX = audit_log
DEST_KEY = _MetaData:Index
FORMAT = audit_private
WRITE_META = true

[syslog_haproxy_change_index]
REGEX = haproxy\[\d+\]
DEST_KEY = _MetaData:Index
FORMAT = haproxy_private
WRITE_META = true
Reply
Solved! Jump to solution

vya9836
New Member
‎05-15-2016 03:26 PM

2015-12-08T14:28:01.740023-05:00 dev-web-1006 audit_log type=USER_END msg=audit(1449602881.734:8461017): user pid=17294 uid=0 auid=0 ses=1243580 msg='op=PAM:session_close acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'

For this data i am trying to extract res=success' field with some regex but it is not extracting, do you have that regex. if you have please send me.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...