cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
asabatini
Splunk Employee
Member since: ‎04-27-2023
‎03-01-2024
Community Statistics
Posts 2
Solutions 0
Karma Given 1
Karma Received 0
Member Since ‎04-27-2023
Activity Feed
Topics I've Started
View All

Re: rebuild a syslog event

by Splunk Employee in Getting Data In
‎02-28-2024 03:05 AM
‎02-28-2024 03:05 AM
Hi @scelikok  I agree with you, I would show you my props and transforms conf file props.conf [custom_syslog] transforms-rebuild = group1 SHOULD_LINEMERGE = false   Transforms [group1] REGEX = (?<group1>.+\s\-\s\-\s\-\s).*.auditID.:.(?<group2>[\w-]+)..*requestURI.:.(?<group3>[^,]+).+username.:.(?<group4>[^,]+).+sourceIPs....(?<group5>\d+.\d+.\d+.\d+) FORMAT = group1::$1, group2::$2, group5::$3, group3::$4, group4::$5   Did I forget something in the conf files? Regards Alessandro ... View more

rebuild a syslog event

by Splunk Employee in Getting Data In
‎02-27-2024 09:32 AM
‎02-27-2024 09:32 AM
Hi Folks,   I have a quick question. currently I have a syslog event and I need to see in splunk the raw data the info in different order: Example original syslog (?<field1>REGEX),(?<field2>REGEX),(?<field3>REGEX),  etc....... what I want to see indexed in splunk (?<field1>REGEX),(?<field3>REGEX),,(?<TIMESTAP>REGEX),(?<field2>REGEX). I tried with SED command in props.conf is really useful to clean the data but not to reorder the info.   Thanks in advance Alex   ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎03-01-2024 12:43 PM
Karma given to
View All