Splunk Search

Does Splunk recognize LEEF formatted?

steveirogers
Communicator

I am trying to import "LEEF" formatted data (from an IBM mainframe) into Splunk, but none of the name / value pairs are recognized. There is question in Splunk community from 2011 regarding this same issue which was not answered. Should I just use the manual field extraction for this type of data or is this a known log format which Splunk can handle?

See sample log event below:
"LEEF:1.0|IBM|RACF|2.2.1|80 27.0|devTimeFormat=yyyy-MM-dd'T'HH:mm:ss.SSSZ devTime=2017-02-27T14:01:47.630-0500 usrName=U020005 name=LISA DODARO usrPriv= usrGroups= ICTXname= ICTXreg= job=JB0 27 Feb 2017 14:01:46.26 U0200051 intent= allow= class=MXADMIN prof= res= vol= dsn= sens= own= box= terminal= poe= logstr=CSQH RESLEVEL CHECK PERFORMED AGAINST PROFILE(MQGP.RESLEVEL), CLASS(MXADMIN), ACCESS EQUATES TO (NONE) auth= desc=Success reason= appl= sum=RACF GENERAL success for U020005: logstr=CSQH RESLEVEL CHECK PERFORMED AGAINST PROFILE(MQGP.RESLEVEL), CLASS(MXADMIN), ACCESS EQUATES TO (NONE) cmd="

Tags (1)
0 Karma
1 Solution

steveirogers
Communicator

Thanks Dan. Problem solved. Woodcock, thank you also for taking the time to responsd.

Best regards,
Steve Rogers

View solution in original post

0 Karma

steveirogers
Communicator

Thanks Dan. Problem solved. Woodcock, thank you also for taking the time to responsd.

Best regards,
Steve Rogers

0 Karma

woodcock
Esteemed Legend

What was your final solution? Post it here and Accept it (or maybe you used mine, so click Accept on that one).

0 Karma

steveirogers
Communicator

Working solution:
in props.conf:
[LEEF_csv]
KV_MODE = none
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
disabled = false
pulldown_type = true
REPORT-leef = LEEF_KVP

in transforms.conf:
[LEEF_KVP]
REGEX = (\w+)=([^=]+)(?:\s+|$)
FORMAT = $1::$2
MV_ADD = true

0 Karma

steveirogers
Communicator

I used the solution provided by Dan [Splunk]. Thanks again for your assistance.

0 Karma

woodcock
Esteemed Legend

Please do post the actual solution so that others can learn. That's the point.

0 Karma

steveirogers
Communicator

Sorry about that. I thought everyone could see the code posted by Dan.

0 Karma

woodcock
Esteemed Legend

Like this...

In props.conf:

[YourSourcetypeHere]
TRANSFORMS-index_time_field_extractions = LEEF_KVP
#REPORT-search_time_field_extractions = LEEF_KVP

In transforms.conf:

[LEEF_KVP]
REGEX = (\w+)=([^=]+)(?:\s+|$)
FORMAT = $1::$2
MV_ADD = true

steveirogers
Communicator

Thanks very much for you prompt response. I will try adding those configurations.

0 Karma

Dan
Splunk Employee
Splunk Employee

MV_ADD = [true|false]
* NOTE: This attribute is only valid for search-time field extractions.

Thus, you need to use REPORT- not TRANSFORMS-

woodcock
Esteemed Legend

Good point.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...