Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to parse Radius log files into splunk? What the configuration required for props and transforms

alenseb
Communicator
‎08-30-2012 04:10 AM

Following is the Radius log file format that i have got. Now i need only few of the fields from each instance. Also you can see that 2 instances are separated by a blank line.
So can anyone help with the configuration of prop.conf and transfroms.conf to get the desired output.

Tue Aug 7 00:00:00 2012
User-Name = "xxxxxxxx"
NAS-Port = xxxxxxxx
NAS-IP-Address = xxxxxxxxu
Framed-IP-Address = xxxxxxxx
Filter-Id = " xxxxxxxx "
Class = " xxxxxxxx "
NAS-Identifier = " xxxxxxxx "
Acct-Status-Type = xxxxxxxx
Acct-Delay-Time = 0
Acct-Session-Id = " xxxxxxxx "
Acct-Authentic = RADIUS
Event-Timestamp = 1344286800
NAS-Port-Type = Ethernet
Calling-Station-Id = " xxxxxxxx "
NAS-Port-Id = " xxxxxxxx "
Service-Type = Framed-User
Framed-Protocol = PPP
Acct-Link-Count = 0
RB-Agent-Circuit-Id = " xxxxxxxx "
DSLForum-Agent-Circuit-Id = " xxxxxxxx "
DSLForum-Access-Loop-Encapsulation = ""
Timestamp = 1344286800
OSC-Service-Identifier = "DSLUsers"
Proxy-State = OSC-Extended-Id=40682
Timestamp = 1344286800

Tue Aug 7 00:00:00 2012
User-Name = " xxxxxxxx "
NAS-Port = xxxxxxxx
NAS-IP-Address = xxxxxxxx
Framed-IP-Address = xxxxxxxx
Class = "44620232:04:"
NAS-Identifier = " xxxxxxxx "
Acct-Status-Type = Stop
Acct-Delay-Time = 0
Acct-Input-Octets = 6021
Acct-Output-Octets = 323749
Acct-Session-Id = " xxxxxxxx "
Acct-Authentic = RADIUS
Acct-Session-Time = 1348
Acct-Input-Packets = 53
Acct-Output-Packets = 3187
Acct-Terminate-Cause = User-Request
Acct-Input-Gigawords = 0
Acct-Output-Gigawords = 0
Event-Timestamp = 1344286800
NAS-Port-Type = Ethernet
Calling-Station-Id = " xxxxxxxx "
NAS-Port-Id = " xxxxxxxx "
Service-Type = Framed-User
Framed-Protocol = PPP
Acct-Link-Count = 0
Timestamp = 1344286800
OSC-Service-Identifier = "DSLUsers"
Proxy-State = OSC-Extended-Id=24386
Timestamp = 1344286800

Thanks!!

0 Karma
Reply

beatus
Communicator
‎04-03-2017 09:47 AM

alenseb,
You should avoid the use of SHOULD_LINEMERGE = true and any break_before or break_after parameters. They're not required to do linebreaking correctly in almost all cases. Here's what should work for you:

[radius]
SHOULD_LINEMERGE = false
TIME_FORMAT = %A %B %d %H:%M:%S %Y
TIME_PREFIX = ^
MAX_TIMESTAMP_LOOKAHEAD = 40
LINE_BREAKER = ([\r\n]+)\w{3}\s+\w{3}\s+\d{1,2}\s+\d{2}:\d{2}:\d{2}\s+\d{4}
TRUNCATE = 99999

Reply

sudoritz
Explorer
‎04-03-2017 05:08 PM

Thanks That WORKS 🙂

0 Karma
Reply

lguinn2
Legend
‎09-02-2012 05:13 PM

I think all you need is props.conf - and frankly, I think that the Splunk default settings would work just fine.
Splunk will automatically extract all the fields, as they are in name=value format. But here is a stanza for props.conf that should work as well. Note that this assumes that you set sourcetype=radius in the inputs.conf

And these props.conf entries belong on the indexer (or wherever the events are being parsed).

[radius]
SHOULD_LINEMERGE = true
BREAK_ONLY_BEFORE_DATE = true
TIME_FORMAT = %A %B %d %H:%M:%S %Y
0 Karma
Reply

alenseb
Communicator
‎09-02-2012 10:03 PM

Thanks for the input!!

You can also try the following code, It works as well

SHOULD_LINEMERGE = true
REPORT-vievents = vievents_extractions
BREAK_ONLY_BEFORE = ^(Sun|Mon|Tue|Wed|Thu|Fri|Sat)

0 Karma
Reply
Get Updates on the Splunk Community!

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...

Adoption of Infrastructure Monitoring at Splunk

  Splunk's Growth Engineering team showcases one of their first Splunk product adoption-Splunk Infrastructure ...

Modern way of developing distributed application using OTel

Recently, I had the opportunity to work on a complex microservice using Spring boot and Quarkus to develop a ...