Hi,
I have just installed Splunk as want to get some reports out of a Barracuda Spam firewall we have installed that sends all data to a syslog server. I have installed Splunk on the same machine as syslog so getting the file imported was easy.
The problem I am having is with trying to extract fields from the data as I can't seem to 'teach' the system the correct regex.
The following is an example line from syslog (anonomiyzed obviously):
Sep 24 15:34:59 192.168.0.1 inbound/pass1[26165]: 114-38-48-47.dynamic.hinet.net[114.38.48.47] 1285338898-663591fe0001-1ljPNx 1285338898 1285338899 RECV sender@domain.com receiver@domain.com 2 62 114.38.48.47
The data can be totally different which is why Splunk seems to have a problem with it, but the data is always in the same order:
Timestamp: Sep 24 15:34:59
Host: 192.168.0.1
Process: inbound/pass1[26165]:
Sender: 114-38-48-47.dynamic.hinet.net[114.38.48.47]
MessageID: 1285338898-663591fe0001-1ljPNx
StartTime: 1285338898
EndTime: 1285338899
Service: RECV
From: sender@domain.com
To: receiver@domain.com
ActionCode: 2
ReasonCode: 62
SenderIP: 114.38.48.47
It was all going well until I got to the ActionCode!
There is always whitespace between the 'parts' so am sure it is just a matter of getting the regex correct but am struggling.
Would appreciate some help.
Thanks.
Pete.
... View more