I am trying to use Splunk to manage syslog messages at home from my router (which will use way less than 500MB a day). Using a custom firewall ruleset, I get syslog messages in this format (some field values redacted):
Dec 26 10:10:04 kernel: R0 NET_SCAN_IPV4-IN=eth1 OUT= MAC=aa:bb:cc:dd:ee:ff:11:22:33:44:55:66:08:00 SRC=<SRC_IP> DST=<DST_IP> LEN=40 TOS=0x00 PREC=0x20 TTL=97 ID=256 PROTO=TCP SPT=6000 DPT=1
So I went to create a custom field extraction regex (as nothing default in Splunk seems to handle syslog messages in this format), and let it develop the regex to parse out the rule name, which has values like NET_SCAN_IPV4, ROUTER_IPV4_DENY, etc. There are IPV6 versions, too, just not active yet. I test, and then go to save the regex, and I get this error thrown at me:
500 Internal Server Error
TypeError: object of type 'NoneType' has no len()
This page was linked to from http://foobar:8000/en-US/ifx?sid=1324913742.32&offset=0&namespace=search.
You are using foobar:8000, which is connected to splunkd @113966 at https://127.0.0.1:8089 on Mon Dec 26 11:03:46 2011.
Is this a bug in the current version of Splunk? I believe it is 4.2.5, downloaded yesterday (12/25/2011).
... View more