I have a datasource that i export to a text file that I need to import into splunk. The file has a header that looks like this:
"Number" "Date" "Time" "Interface" "Origin" "Type" "Action" "Service" "Source Port" "Source" "Destination" "Protocol" "Rule" "Rule Name" "Current Rule Number" "User" "Information" "Product"
and one sample row of data
"180" "23Aug2010" "0:05:18" "eth-123" "name" "Log" "Accept" "snmp" "32913" "1.2.3.4" "name" "udp" "5" "" "7-name_PLOICY" "" "service_id: snmp" "word"
Fields of data follow after that. I would like to import and parse this data into splunk fields.
I have created a folder on the local filesystem (local to splunk) where i copy the files and have splunk watch for new files. This was set up with INPUTS.conf
[monitor:///home/applianceadmin/Desktop/Geneva]
disabled = false
followTail = 0
host = GenevaDRP
index = default
sourcetype = testcsvlog
I have been unsuccessful at setting props and transforms for this datatype.
transforms.conf
[source::/home/applianceadmin/Desktop/Geneva/*]
sourcetype = testcsvlog
priority = 101
[testcsvlog_extractions]
DELIMS=" "
FIELDS="Number","Date","Time","Interface","Origin","Type","Action","Service","Source Port","Source","Destination","Protocol","Rule","Rule Name","Current Rule Number","User","Information","Product"
props.conf
[testcsvlog]
REPORT-testcsvlogextract = testcsvlog_extractions
I am sure there are several ways to skin this problem, what is the simplest? there must be a CSV import that i can use to change the delimeter.
One other problem, no matter what i set the sourcetype to be in the inputs.conf the sourcetype is set to another sourcetype i have defined? how do i change this, i suspect this is an indication that one of my settings are not correct.
... View more