I am trying to import "LEEF" formatted data (from an IBM mainframe) into Splunk, but none of the name / value pairs are recognized. There is question in Splunk community from 2011 regarding this same issue which was not answered. Should I just use the manual field extraction for this type of data or is this a known log format which Splunk can handle?
See sample log event below:
"LEEF:1.0|IBM|RACF|2.2.1|80 27.0|devTimeFormat=yyyy-MM-dd'T'HH:mm:ss.SSSZ devTime=2017-02-27T14:01:47.630-0500 usrName=U020005 name=LISA DODARO usrPriv= usrGroups= ICTXname= ICTXreg= job=JB0 27 Feb 2017 14:01:46.26 U0200051 intent= allow= class=MXADMIN prof= res= vol= dsn= sens= own= box= terminal= poe= logstr=CSQH RESLEVEL CHECK PERFORMED AGAINST PROFILE(MQGP.RESLEVEL), CLASS(MXADMIN), ACCESS EQUATES TO (NONE) auth= desc=Success reason= appl= sum=RACF GENERAL success for U020005: logstr=CSQH RESLEVEL CHECK PERFORMED AGAINST PROFILE(MQGP.RESLEVEL), CLASS(MXADMIN), ACCESS EQUATES TO (NONE) cmd="
Thanks Dan. Problem solved. Woodcock, thank you also for taking the time to responsd.
Best regards,
Steve Rogers
Thanks Dan. Problem solved. Woodcock, thank you also for taking the time to responsd.
Best regards,
Steve Rogers
What was your final solution? Post it here and Accept
it (or maybe you used mine, so click Accept
on that one).
Working solution:
in props.conf:
[LEEF_csv]
KV_MODE = none
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
disabled = false
pulldown_type = true
REPORT-leef = LEEF_KVP
in transforms.conf:
[LEEF_KVP]
REGEX = (\w+)=([^=]+)(?:\s+|$)
FORMAT = $1::$2
MV_ADD = true
I used the solution provided by Dan [Splunk]. Thanks again for your assistance.
Please do post the actual solution so that others can learn. That's the point.
Sorry about that. I thought everyone could see the code posted by Dan.
Like this...
In props.conf:
[YourSourcetypeHere]
TRANSFORMS-index_time_field_extractions = LEEF_KVP
#REPORT-search_time_field_extractions = LEEF_KVP
In transforms.conf:
[LEEF_KVP]
REGEX = (\w+)=([^=]+)(?:\s+|$)
FORMAT = $1::$2
MV_ADD = true
Thanks very much for you prompt response. I will try adding those configurations.
MV_ADD = [true|false]
* NOTE: This attribute is only valid for search-time field extractions.
Thus, you need to use REPORT- not TRANSFORMS-
Good point.