I have an FTP log (using VSHELL from http://www.vandyke.com/) wherein each user session gets a unique ID but the user can (and often does) send multiple files. I am trying to write a report that shows time, ID, login, IP, file, size and for the most part it works, unless the "trigger" file is the same byte count and then the report is a bit wonkey.... Essentially, the transfer line looks like: Nov 17 00:02:27 HOST vshelld[27640]: [ID 681337 local3.notice] sftp,2011830: kai101p created directory /DIR/. Nov 17 00:02:39 HOST vshelld[27640]: [ID 681337 local3.notice] sftp,2011830: kai101p opened /DIR/000010692381.PDF for write 940646 bytes transferred. Nov 17 00:02:40 HOST vshelld[27640]: [ID 681337 local3.notice] sftp,2011830: kai101p opened /DIR/000010692381.tkt for write 910 bytes transferred. Nov 17 00:02:52 HOST vshelld[27640]: [ID 681337 local3.notice] sftp,2011830: kai101p opened /DIR/000020888169.PDF for write 1032185 bytes transferred. Nov 17 00:02:52 HOST vshelld[27640]: [ID 681337 local3.notice] sftp,2011830: kai101p opened /DIR/000020888169.tkt for write 910 bytes transferred. Nov 17 00:03:04 HOST vshelld[27640]: [ID 681337 local3.notice] sftp,2011830: kai101p opened /DIR/000020891502.PDF for write 1045536 bytes transferred. Nov 17 00:03:04 HOST vshelld[27640]: [ID 681337 local3.notice] sftp,2011830: kai101p opened /DIR/000020891502.tkt for write 910 bytes transferred. Nov 17 00:03:13 HOST vshelld[27640]: [ID 681337 local3.notice] sftp,2011830: kai101p opened /DIR/110005569971.PDF for write 933715 bytes transferred. Nov 17 00:03:13 HOST vshelld[27640]: [ID 681337 local3.notice] sftp,2011830: kai101p opened /DIR/110005569971.tkt for write 910 bytes transferred. Nov 17 00:03:13 HOST vshelld[27640]: [ID 681337 local3.notice] dbg ,2011830: [LOCAL DEBUG] RECV: CHANNEL_OPEN[session] Nov 17 00:03:13 HOST vshelld[27640]: [ID 681337 local3.notice] conn,2011830: Session channel open request accepted. Nov 17 00:03:13 HOST vshelld[27640]: [ID 681337 local3.notice] sftp,2011830: Sftp subsystem initialized; remote version is 3. Nov 17 00:03:13 HOST vshelld[27640]: [ID 681337 local3.notice] sftp,2011830: Sending VERSION packet to remote (3) Nov 17 00:03:13 HOST vshelld[27640]: [ID 681337 local3.notice] sftp,2011830: Sftp subsystem terminated. Nov 17 00:03:13 HOST vshelld[27640]: [ID 681337 local3.notice] conn,2011830: Session channel has been closed (pid: none). Nov 17 00:03:13 HOST vshelld[27640]: [ID 681337 local3.notice] sftp,2011830: Sftp subsystem terminated. Nov 17 00:03:13 HOST vshelld[27640]: [ID 681337 local3.notice] conn,2011830: Session channel has been closed (pid: none). Nov 17 00:03:13 HOST vshelld[27640]: [ID 681337 local3.notice] sftp,2011830: Sftp subsystem terminated. Nov 17 00:03:13 HOST vshelld[27640]: [ID 681337 local3.notice] conn,2011830: Session channel has been closed (pid: none). I wrote a rex to pull out the file and bytes (910 above) but when there are, multiple transfers and each file includes a 'trigger' file of (in the case of above) 910 bytes the report is inaccurate. I do a transaction based upon the vshelld[27946], which includes all the steps from connection to disconnect and multiple transfer lines (as above) so I can pull the credentialed user's name as well as remote host, etc., and when I attempt to report on time, user, file, size it generates one line per the vshelld[27640] and then lists all the files names but only lists 910 one time regardless of how many trigger files. I would think this is some sort of sub-transaction but I'm not sure how to do it and get a proper grouping...i.e. _time, file & trigger (they have the same timestamp in the log), login, clientip, etc. ,etc. Help? I hope this is enough information to get the conversation started and hopefully get somewhere closer to the answer I need. ... View more

Does anyone know of a tool that will 'expand' the monitor stanza from inputs.conf on a universalforwarder to show an example of logs to be watched? I.e., I have a monitor stanza: [monitor:///path/to/some/*/dir] whitelist = /file_name(s).log$ And before I restart splunk and do the 'hope it works' I was wondering if there was a tool that would, using Splunk's logic, show me all the files the above would 'see' for monitoring. I have multiple 'client' directories (being replaced above by the *) where some have specific logs and some do not. I would rather write one monitor for each type of log verses writing a new monitor stanza per client dir/log type. And I need to test it before pulling the trigger and not impact other, already configured, data-gathering. ... View more

My company uses ConnectDirect (C:D) as a tool for file transfer. Within the connect direct logs the hosts are referred to by the variables PNOD and SNOD where PNOD is the primary node and SNOD is the secondary node. Because C:D can either receive or send a host can be either PNOD or SNOD. The hosts are configured in a file such that: nodename Verbose_name ACCT1 "My Client's LA Site" ACCT2 "Internal PHX Site" etc... Therefore PNOD can be one of the local machine ID or the remote machine and the same for SNOD. The assumption is that when the SNOD is the local machine it is inbound traffic. When the PNOD is the local machine it is outbound traffic. Now, my question: Is it possible to have one lookup file that works for both SNOD and PNOD providing the Verbose name in reports. I.e -- File_1 Received from My Clients LA Site File_2 Sent to My Clients LA Site The only difference is in the first one it is PNOD and in the second one it is SNOD. Is this easy and I am just over looking it? Currently I have two lookup files, exactly the same, except for one is headered "SNOD,Account" and the second is headered "PDOD,SAccount". ... View more