Solved: Does Splunk recognize LEEF formatted?

steveirogers · ‎03-06-2017

I am trying to import "LEEF" formatted data (from an IBM mainframe) into Splunk, but none of the name / value pairs are recognized. There is question in Splunk community from 2011 regarding this same issue which was not answered. Should I just use the manual field extraction for this type of data or is this a known log format which Splunk can handle?

See sample log event below:
"LEEF:1.0|IBM|RACF|2.2.1|80 27.0|devTimeFormat=yyyy-MM-dd'T'HH:mm:ss.SSSZ devTime=2017-02-27T14:01:47.630-0500 usrName=U020005 name=LISA DODARO usrPriv= usrGroups= ICTXname= ICTXreg= job=JB0 27 Feb 2017 14:01:46.26 U0200051 intent= allow= class=MXADMIN prof= res= vol= dsn= sens= own= box= terminal= poe= logstr=CSQH RESLEVEL CHECK PERFORMED AGAINST PROFILE(MQGP.RESLEVEL), CLASS(MXADMIN), ACCESS EQUATES TO (NONE) auth= desc=Success reason= appl= sum=RACF GENERAL success for U020005: logstr=CSQH RESLEVEL CHECK PERFORMED AGAINST PROFILE(MQGP.RESLEVEL), CLASS(MXADMIN), ACCESS EQUATES TO (NONE) cmd="

steveirogers · ‎03-13-2017

Thanks Dan. Problem solved. Woodcock, thank you also for taking the time to responsd.

Best regards,
Steve Rogers

View solution in original post

steveirogers · ‎03-13-2017

Thanks Dan. Problem solved. Woodcock, thank you also for taking the time to responsd.

Best regards,
Steve Rogers

woodcock · ‎03-14-2017

What was your final solution? Post it here and Accept it (or maybe you used mine, so click Accept on that one).

steveirogers · ‎03-14-2017

Working solution:
in props.conf:
[LEEF_csv]
KV_MODE = none
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
disabled = false
pulldown_type = true
REPORT-leef = LEEF_KVP

in transforms.conf:
[LEEF_KVP]
REGEX = (\w+)=([^=]+)(?:\s+|$)
FORMAT = $1::$2
MV_ADD = true

steveirogers · ‎03-14-2017

I used the solution provided by Dan [Splunk]. Thanks again for your assistance.

woodcock · ‎03-14-2017

Please do post the actual solution so that others can learn. That's the point.

steveirogers · ‎03-14-2017

Sorry about that. I thought everyone could see the code posted by Dan.

woodcock · ‎03-06-2017

Like this...

In props.conf:

[YourSourcetypeHere]
TRANSFORMS-index_time_field_extractions = LEEF_KVP
#REPORT-search_time_field_extractions = LEEF_KVP

In transforms.conf:

[LEEF_KVP]
REGEX = (\w+)=([^=]+)(?:\s+|$)
FORMAT = $1::$2
MV_ADD = true

steveirogers · ‎03-06-2017

Thanks very much for you prompt response. I will try adding those configurations.

Dan · ‎03-13-2017

MV_ADD = [true|false]
* NOTE: This attribute is only valid for search-time field extractions.

Thus, you need to use REPORT- not TRANSFORMS-

woodcock · ‎03-13-2017

Good point.

Does Splunk recognize LEEF formatted?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor