I have an input that contains a JSON log entry from a server but because it comes in via syslog Splunk cannot decipher the JSON part of it. I know Splunk is happy just reading in JSON but this infomation needs to come in via syslog so it is prepended with the usual timestamp preamble. My approach to resolving this was to transform the syslog data from the host machine and regex the bit I need into the index. An example of the syslog entry is: <142>Feb 26 13:44:46 localhost node-3: [SyslogManagerImpl] <> INFO uvm[0]: {"serverIntf":1,"timeStamp":"2013-02-26 13:44:46.178","SClientAddr":"/88.88.8.188","sessionId":89248860551403,"tag":"uvm[0]: ","SServerPort":80,"SServerAddr":"/222.22.22.122","class":"class com.untangle.uvm.node.SessionNatEvent","SClientPort":18220} So I used this regex and when tested outside of Splunk works fine and extracts the correct data: ^(?:.*)({\".*)$ This finds the first {" and then returns it in field 2. I have however been unsuccessful in getting this to work in Splunk, it either ignores the entry completely and gives me an empty log or it just gives me the original log entry, no filtering! I've tried various queues in the transform and also grabbing the TCP port directly in props but no luck. Any help or guideance would be greatly welcomed. My files mods are below: props.conf [host::server.domain.com] NO_BINARY_CHECK = 1 pulldown_type = 1 TRANSFORMS-set=syslogremove transforms.conf [syslogremove] DEST_KEY = indexQueue SOURCE_KEY = parsingQueue DEFAULT_VALUE = failed REPEAT_MATCH = true WRITE_META = true REGEX = ^(?:.*)({\".*)$ FORMAT = set::$2 ... View more

After installing and configuring the sfgae application from the UI I keep getting "Unable to gather configuration data from splunk" in the log.txt. Am I missing some part of the setup? ... View more