Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Highlighted

teach splunk to read data from log

fisk12
Path Finder
‎11-14-2010 09:04 PM

I have syslog from a server sending me logs from /var/log/secure (ssh). But splunk can't seem to read out some stuff from it (ex src)

The packet looks like this.

Nov 14 21:50:33 172.28.2.5 sshd[984]: Accepted password for apa from 192.168.1.5 port 42957 ssh2 tag::host=test Options| host=192.168.1.1 Wiki Options

I want the src (192.168.1.5) to appear in the "src" column.

Tags (2)
0 Karma
Reply
Highlighted

Re: teach splunk to read data from log

treinke
SplunkTrust
SplunkTrust
‎11-15-2010 01:26 PM

Sounds like you want to do some field extraction. You can give Splunk the field values and then give the results a field name. This is well documented and can be found at:

http://www.splunk.com/base/Documentation/4.1.5/User/InteractiveFieldExtractionExample

Reply
Highlighted

Re: teach splunk to read data from log

Genti
Splunk Employee
Splunk Employee
‎11-16-2010 12:28 AM

IFX works quite well, for me, but if it seems to be failing for you and you are unable to define the regex correctly through it, you could use a custom made regex and use the props.conf way of extracting fields. This is also very well documented at: http://www.splunk.com/base/Documentation/4.1.5/Knowledge/Createandmaintainsearch-timefieldextraction...

0 Karma
Reply
Highlighted

Re: teach splunk to read data from log

fisk12
Path Finder
‎11-19-2010 03:41 PM

Hmm, but say that i monitor all events in a 15 minutes interval, i have some stuff from the firewall that shows up in the "src" field. I also log some stuff from one of the linux server, and i want it to be able to show the source of the ssh stuff (or from the apache server) in the same "src" field as the firewall.

0 Karma
Reply