How do i need to get a report created on search head for the network/modular inputs which are created on a Heavy Forwarder using rest Api command. ... View more

Hi vya998, Thanks for using Fluentd! The first bit is that the Splunk API plugin that you referenced is deprecated, and you should switch to sending messages over TCP or through the Splunk HTTP Event Collector. Additionally, I see that your configuration for translating and parsing data is being done on the Splunk indexer side. I would recommend translating those configurations over to Fluentd to distribute that compute layer to the endpoints so Splunk can focus on search. Fluentd has the ability to do most of the common translation on the node side including nginx, apache2, syslog [RFC 3624 and 5424], etc. Additionally, if you are interested in the Fluentd Enterprise Splunk TCP and HTTP Event Collector plugin and help in optimizing parsing and transformation logic you can email me at A at TreasureData dot com. More info for https://fluentd.treasuredata.com Thanks, Anurag ... View more

2015-12-08T14:28:01.740023-05:00 dev-web-1006 audit_log type=USER_END msg=audit(1449602881.734:8461017): user pid=17294 uid=0 auid=0 ses=1243580 msg='op=PAM:session_close acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' For this data i am trying to extract res=success' field with some regex but it is not extracting, do you have that regex. if you have please send me. ... View more