Running splunk on windows2003. I am getting the events but it seems my regex is not working right on the event.
Sample syslog event:
Feb 10 13:40:24 066.082.009.081 TPS,1,HN-IP,67.143.66.109,PC-IP,67.143.66.110,OUT,0,IN,0,update.intervideo.com:80,http://update.intervideo.com/Ping.asp
should be converted to the following fields
FORMAT = host::$1 record_type::$2 hn_ip::$3 pc_ip::$4 bytes_out::$5 bytes_in::$6 domain::$7
However it is not working.. could someone give me a clue as to whats wrong with the regex ?
REGEX = ^.*[^\:]*\d\d\:\d\d\:\d\d[^\:]*?\s(\d+\.\d+\.\d+\.\d+)\s[^,]+,([^,]+),HN-IP,([^,]+),PC-IP,([^,]+),OUT,([^,]+),IN,([^,]+),([^,]+),[[bc_uri]]
[Hughes_TPS]
#Feb 10 13:40:24 066.082.009.081 TPS,1,HN-IP,67.143.66.109,PC-IP,67.143.66.110,OUT,0,IN,0,update.intervideo.com:80,http://update.intervideo.com/Ping.asp
REGEX = ^.*[^\:]*\d\d\:\d\d\:\d\d[^\:]*?\s(\d+\.\d+\.\d+\.\d+)\s[^,]+,([^,]+),HN-IP,([^,]+),PC-IP,([^,]+),OUT,([^,]+),IN,([^,]+),([^,]+),[[bc_uri]]
FORMAT = host::$1 record_type::$2 hn_ip::$3 pc_ip::$4 bytes_out::$5 bytes_in::$6 domain::$7
inputs.conf
[udp://514]
sourcetype = syslog
no_appending_timestamp = true
[host::192.168.10:81]
sourcetype = HughesTPS
KV_MODE = none
REPORT-syslog = Hughes_TPS
SEGMENTATION = inner
... View more