Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Webknight Field Extractions and Header Exclusions

hughroberts
Explorer
‎12-04-2013 01:32 PM

If anybody uses WebKnight ISAPA filter in your environment you will probably have spotted that the log file formal can take a bit of cajoling to import neatly.

As I spent a few long hours getting the the following configuration right to make the field extraction work neatly, I wanted to share it with the community to save others some time !

The main challenges I encountered with the file format are:

a) Multiple quote lines at the start of the each log file.

b) Header line in a quote line with a superfluous field tag.

c) Writes to multiple log file names that have the date and other variables in the file name (if you config WebKnight to do this).

d) Splunk imports the quote lines as one multiple event.

e) The date and time information is in two separate fields that can confuse spunk into thinking that each field couple is a field name and field combination.

0 Karma
Reply

hughroberts
Explorer
‎12-04-2013 01:32 PM

Here are the inputs, props and transforms for your set up. The inputs.conf goes onto the wherever your UniversalForwarder is installed. The others go on to the indexer/search, you need to put the stanzas to eliminate headers in place before you index the data, the field extractions are only applied at search time.

Tested on versions 5.0.3 and 5.0.5

Happy Splunking !

<< inputs.conf >>

[default]
host = WEBSERVER

[monitor://C:\webknight/App.*]
sourcetype=webknight
index=webknight-index
disabled=0

<< props.conf >>

[source::C:\webknight/App.*]
sourcetype=webknight

[webknight]
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE=false
REPORT-webknightextract = webknight_extractions
TRANSFORMS-t1=eliminate_header

<< transforms.conf >>

[webknight_extractions]
DELIMS=";"
FIELDS=WAFDate,WAFTime,WAFInst,WAFEvent,WAFIPA,WAFUser,WAFHost,WAFAgent,WAFAdditions1

[eliminate_header]
REGEX=^(?:#Software:|#Date:|#LogTime:|#Fields:)\s
DEST_KEY=queue
FORMAT=nullQueue

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...