×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
alhod2si
Engager
Member since: ‎04-20-2018
‎03-10-2021
Community Statistics
Posts 2
Solutions 0
Karma Given 4
Karma Received 0
Member Since ‎04-20-2018
Activity Feed
Topics I've Started
No posts to display.
View All

Re: Why are the logs not properly parsing for the ...

by Splunk Employee in All Apps and Add-ons
‎09-15-2020 11:10 AM
‎09-15-2020 11:10 AM
At first glance: Begin by checking what you can see in the barracuda index. The way you've defined the UDP input, you should find data tagged with the correct host=(ip address) and a source=udp::514, even if sourcetype=barracuda* is failing.  If you do an 'All time, Real time' search on the barracuda index and see the logs, it's likely the date being parsed is skewed outside of your typical search reporting window (most people use last 24 hours.)   If there's log data but the date and time is skewed,  the REGEX extractions for the Add-on aren't a match for your log events. Possibly, the date/time on the Barracuda device itself is an issue. There's notes in the post about using https://regex101.com and a data sample to see what's matching. If the timezone of the barracuda device itself seems to be an issue, you can define a TZ setting in props.conf using source::udp514 as noted in the docs here:  Specify time zones in props.conf.     ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎03-10-2021 12:54 PM
Karma given to
View All