Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About danbrook
danbrook
Explorer
Member since:
02-17-2017
06-05-2020
Community Statistics
| Posts | 16 |
| Solutions | 0 |
| Karma Given | 4 |
| Karma Received | 0 |
| Member Since | 02-17-2017 |
Activity Feed
- Karma Re: How to add _meta to all entries from forwarder? for srmorrison. 06-05-2020 12:49 AM
- Karma Re: Set index on indexer for martin_mueller. 06-05-2020 12:48 AM
- Karma MetaData Values: Is there a difference between DEST_KEY = _MetaData:Index versus DEST_KEY = MetaData:Index? for Murali2888. 06-05-2020 12:47 AM
- Karma Re: This AND That regex in transforms.conf? for gowen. 06-05-2020 12:46 AM
- Posted Re: How to connect multiple instances of Cisco Firepowers to Splunk using eStreamer enCore on Splunk Enterprise Security. 02-18-2020 11:30 AM
- Posted Re: Multiple Indexes from single Firepower Management Center on Getting Data In. 02-14-2020 09:59 AM
- Posted Re: How to add _meta to all entries from forwarder? on Getting Data In. 11-13-2019 02:30 AM
- Posted Re: Change index at index time (chained UFs) on Getting Data In. 06-01-2017 08:59 AM
- Posted Re: Change index at index time (chained UFs) on Getting Data In. 06-01-2017 06:50 AM
- Posted Re: Change index at index time (chained UFs) on Getting Data In. 06-01-2017 03:31 AM
- Posted Change index at index time (chained UFs) on Getting Data In. 06-01-2017 03:07 AM
- Tagged Change index at index time (chained UFs) on Getting Data In. 06-01-2017 03:07 AM
- Tagged Change index at index time (chained UFs) on Getting Data In. 06-01-2017 03:07 AM
- Tagged Change index at index time (chained UFs) on Getting Data In. 06-01-2017 03:07 AM
- Posted Maximum length of an Index name on Splunk Search. 03-24-2017 03:22 AM
- Tagged Maximum length of an Index name on Splunk Search. 03-24-2017 03:22 AM
- Tagged Maximum length of an Index name on Splunk Search. 03-24-2017 03:22 AM
- Posted Re: Regex to match two fields in transforms.conf on Splunk Search. 03-16-2017 12:18 PM
- Posted Re: Regex to match two fields in transforms.conf on Splunk Search. 03-16-2017 08:20 AM
- Posted Regex to match two fields in transforms.conf on Splunk Search. 03-16-2017 06:06 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
02-18-2020
11:30 AM
Similar setup for me but I have 1 FMC and 1 Indexer. I have multiple domain on the FMC and am trying to send logs to seperate indexes. Can the same client.pkcs12 file and password be used under each domain?
... View more
02-14-2020
09:59 AM
I too would like to know this. I have one FMC with multiple domains. I would like to send each domain to a custom index and/or be able to select the domain/index from the dashboard. I'm not sure of the best way to approach this.
... View more
11-13-2019
02:30 AM
I too am having the same issue. I'd like to understand exactly how this works.
... View more
06-01-2017
08:59 AM
The Intermediate Forward is a Universal Forwarder. The custom metadata is being added to the logs.
... View more
06-01-2017
03:31 AM
The custom field is set like this on the intermediate forwarder:
[default]
_meta = customfield::ACustomString
... View more
06-01-2017
03:07 AM
I am collecting Windows Event Logs via either a Windows Event Collector or directly from each Windows server (with a Splunk UF installed). I am then using an intermediate forwarder to send to our indexers. This is due to network setup and location of the servers.
I have custom metadata that the intermediate forwarder is adding to identify where the logs are coming from and use in the index name.
The problem I am having is that the Windows Event Logs are hitting the Main index and not the one I've specified in transforms.
On the intermediate forwarder I have:
inputs.conf
[splunktcp:9997]
acceptFrom = *
On the destination Indexer I have:
props.conf
[source::WinEventLog:ForwardedEvents]
TRANSFORMS-Host = Set-Host-ComputerName
TRANSFORMS-LogName = Set-Sourcetype-LogName
TRANSFORMS-Index-Windows = Set-Index-Windows
[sourcetype::WinEventLog:*]
TRANSFORMS-Index-Windows = Set-Index-Windows
...
transforms.conf
[Set-Host-ComputerName]
REGEX = (?m)ComputerName=(.+)?\b
DEST_KEY = MetaData:Host
FORMAT = host::$1
[Set-Sourcetype-LogName]
REGEX = (?m)LogName=(.+)?\b
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::windows:event:$1
[Set-Index-Windows]
SOURCE_KEY = MetaData:customfield
REGEX = (.+)
DEST_KEY = _MetaData:Index
FORMAT = index-$1-win-event
... View more
03-24-2017
03:22 AM
We are planning on some long and detailed index names. I'd like to know if there is a maximum length an Index name can be?
... View more
03-16-2017
12:18 PM
Ah ha! Yes I add the MyCustomField on the input from a Universal Forwarder. I want to set the index name based on the value in MyCustomField so maybe I can match in props.conf for the source and then pull out the value for MyCustomField to build the Index name.
props.conf
[source::syslog]
TRANSFORMS-Index-Syslog = Set-Index-Syslog
transforms.conf
[Set-Index-Syslog]
SOURCE_KEY = MetaData:MyCustomField
REGEX = (.*)
DEST_KEY = _MetaData:Index
FORMAT = index-$1-Syslog
... View more
03-16-2017
06:06 AM
I'm looking to match against two fields in transforms.conf. I would like to match against a customer _meta field and the source field then route to a specific index based on that. There is a good reason for me not matching on inputs.conf that I won't go into here.
I would like to match
regex=MyCustomField::somestring AND regex=source::syslog
I'd also like to be able to test this in search before committing it to transforms.conf
... View more
02-18-2017
04:19 PM
That's now working! Thanks. Just a though, do I need the SOURCE_KEY part?
... View more
02-18-2017
03:58 PM
Thanks Martin! That's working now. I must admit I'm still fuzzy on the why but I'm getting there. Many more Splunk Docs to read!
... View more
02-18-2017
02:39 PM
OK, I now have this:
transforms.conf
[Set-Index]
SOURCE_KEY = MetaData:Source
REGEX = source::WinEventLog:ForwardedEvents
DEST_KEY = _MetaData:Index
FORMAT = MyIndex
The logs are still hitting the main index.
... View more
02-18-2017
08:38 AM
Thanks, just spotted that. Corrected but logs still aren't being match or changed. So either the Regex is wrong or..?
... View more
02-17-2017
04:40 PM
I'm trying to set up Windows Event Log collection via chained Universal Forwarders to my Indexer. I'm not able to set the index in inputs.conf so am trying to set it on the indexer but with no luck. I'm also manipulating the source ype and host field to show the original values, which is working fine.
So far I have:
props.conf
[source::WinEventLog:ForwardedEvents]
TRANSFORMS-Index = Set-Index
TRANSFORMS-Host = Set-Host-ComputerName
TRANSFORMS-LogName = Set-Sourcetype-LogName
transforms.conf
[Set-Index]
SOURCE_KEY = MetaData:Source
REGEX source::WinEventLog:ForwardedEvents
DEST_KEY = _MetaData:Index
FORMAT = index::MyIndex**
[Set-Host-ComputerName]
REGEX = (?m)ComputerName=(.*)?\b
DEST_KEY = MetaData:Host
FORMAT = host::$1
[Set-Sourcetype-LogName]
REGEX = (?m)LogName=(.*)?\b
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::WinEventLog:$1
My struggle is with setting the index at index time.
... View more
- Tags:
- splunk-enterprise
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:04 AM
|
