I'm trying to use our Splunk environment as a replacement for an older syslog server. We have multiple indexers, and we've set up a load-balancer in front of them to handle packets coming on on UDP p...
See more...
I'm trying to use our Splunk environment as a replacement for an older syslog server. We have multiple indexers, and we've set up a load-balancer in front of them to handle packets coming on on UDP port 514 and spread the packets out across the indexers. That part works well, but I'm having trouble with the appropriate props and transforms configurations to get those incoming events into the correct indexes. I assume I'm just overlooking something silly, but I need another set of eyes. We're using a small app that's being deployed from a cluster master, to the indexers, with these three configuration files: inputs.conf (yes, port 5140 is intentional, the load balancer handles the port translation) [udp:5140]
disabled = 0
connection_host = ip
source = syslog
sourcetype = syslog props.conf: [source::udp:5140]
TRANSFORMS = override_index_f5, override_sourcetype_f5 transforms.conf: [override_index_f5]
SOURCE_KEY = _raw
REGEX = (.*)f5-svc-ip=(.*)
DEST_KEY = _MetaData:Index
FORMAT = f5_connlog
[override_sourcetype_f5]
SOURCE_KEY = _raw
REGEX = (.*)f5-svc-ip=(.*)
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::f5:connection-log The intent of the above is to take events that look like this: Jul 14 09:22:33 10.24.43.13 LOCAL1.INFO: Jul 14 2021 09:22:33 f5-svc-ip=1.2.3.201, f5-svc-port=636, externalip=2.3.4.91, externalport=13703, internalip=5.6.7.9, internalport=13703 and route them to the "f5_connlog" index with the "f5:connection-log" sourcetype. Instead, these events are landing in the "main" index (since no other index is specified), with the "syslog" sourcetype. I assume that's happening because the events aren't matching, but the regex I'm using is about as simple as can be. (Obviously, once I figure out what I'm doing wrong, there will be more transforms, but this is a small simple test case.) So, wise folks, what am I overlooking? As a related question, is it possible to perform multiple actions on a single match? (In the above, I'm using the same source_key and same regex, so is it possible to combine the sourcetype and index transforms into a single stanza? I know they're two separate things, but it just feels slightly redundant to have to run the same regex twice.)