Greetings,
I have a few PVS's coming through syslog via TCP. I have set index=pvs, sourcetype=pvs:internal (for these, there will be "externals" coming down the pipe in a few weeks) and the host=.
I have attempted to comment out the syslog stanza of the props.conf and collapsed the extract into the local/props.conf stanza automagically created when I set the sourcetype on the heavy forwarder to [pvs:internal]. So I now have this in my /opt/splunk/etc/apps/pvs/local/props.conf:
[pvs:internal]
DATETIME_CONFIG =
NO_BINARY_CHECK = true
category = Custom
disabled = false
pulldown_type = true
TRANSFORMS-changesourcetype = set_sourcetype_pvs
EXTRACT-PVS,src,src_port,dest,dest_port,protocol,PVS_pluginid,PVS_eventname,PVS_data,PVS_data2,PVS_risk = (?P<PVS>pvs): (?P<src>[^:]+):(?P<src_port>\d{1,5})\|(?P<dest>[^:]+):(?P<dest_port>\d{1,5})\|(?P<protocol>\d{1,3})\|(?P<PVS_pluginid>\d{1,5})\|(?P<PVS_eventname>[^\|]+)\|(?P<PVS_data>[^\|]+)\|(?P<PVS_data2>[^\|]+)?\|(?P<PVS_risk>[^\|]+)
When I went through the regex of the extract into https://regex101.com/ it seems to grab every other event (which may be a different issue), but I wanted to verify the regex.
Anyway, I am not getting any extractions which is my real issue. Can anyone offer suggestions?
Thanks,
Dave
... View more