Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

rebuild a syslog event

asabatini
Splunk Employee
Splunk Employee
‎02-27-2024 09:32 AM

Hi Folks,

 

I have a quick question.

currently I have a syslog event and I need to see in splunk the raw data the info in different order:

Example

original syslog

(?<field1>REGEX),(?<field2>REGEX),(?<field3>REGEX),  etc.......

what I want to see indexed in splunk

(?<field1>REGEX),(?<field3>REGEX),,(?<TIMESTAP>REGEX),(?<field2>REGEX).

I tried with SED command in props.conf is really useful to clean the data but not to reorder the info.

 

Thanks in advance

Alex

 

Labels (3)
0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎02-29-2024 09:08 PM

Hi @asabatini,

I think the problem is name-capturing groups in REGEX. Using name-capturing groups will already create a field without a FORMAT parameter. 

You can try one of the below options;

Using name-capturing groups in REGEX;

[group1]
REGEX = (?<group1>.+\s\-\s\-\s\-\s).*.auditID.:.(?<group2>[\w-]+)..*requestURI.:.(?<group4>[^,]+).+username.:.(?<group5>[^,]+).+sourceIPs....(?<group3>\d+.\d+.\d+.\d+)

Without name-capturing groups in REGEX;

[group1]
REGEX = (.+\s\-\s\-\s\-\s).*.auditID.:.([\w-]+)..*requestURI.:.([^,]+).+username.:.([^,]+).+sourceIPs....(\d+.\d+.\d+.\d+)
FORMAT = group1::$1, group2::$2, group5::$3, group3::$4, group4::$5

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎02-27-2024 08:56 PM

Hi @asabatini,

You can reorder or modify raw data using transforms,  you need to capture parts of the messages and reorder them like $1$3$2, etc.

please see the document below;

https://docs.splunk.com/Documentation/Splunk/9.0.3/Data/Anonymizedata#Configure_the_transforms.conf_...

If this reply helps you an upvote and "Accept as Solution" is appreciated.
Reply

asabatini
Splunk Employee
Splunk Employee
‎02-28-2024 03:05 AM

Hi @scelikok 

I agree with you, I would show you my props and transforms conf file

props.conf

[custom_syslog]
transforms-rebuild = group1
SHOULD_LINEMERGE = false

 

Transforms

[group1]
REGEX = (?<group1>.+\s\-\s\-\s\-\s).*.auditID.:.(?<group2>[\w-]+)..*requestURI.:.(?<group3>[^,]+).+username.:.(?<group4>[^,]+).+sourceIPs....(?<group5>\d+.\d+.\d+.\d+)
FORMAT = group1::$1, group2::$2, group5::$3, group3::$4, group4::$5

 

Did I forget something in the conf files?

Regards

Alessandro

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎03-01-2024 03:48 AM

Hi Alessandro.

If that's your actual copy-pasted excerpt from props.conf you have

transforms-rebuild = group1

instead of

TRANSFORMS-rebuild = group1

(yes, case does matter here)

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...