Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Webknight Field Extractions and Header Exclusions

hughroberts
Explorer
‎12-04-2013 01:32 PM

If anybody uses WebKnight ISAPA filter in your environment you will probably have spotted that the log file formal can take a bit of cajoling to import neatly.

As I spent a few long hours getting the the following configuration right to make the field extraction work neatly, I wanted to share it with the community to save others some time !

The main challenges I encountered with the file format are:

a) Multiple quote lines at the start of the each log file.

b) Header line in a quote line with a superfluous field tag.

c) Writes to multiple log file names that have the date and other variables in the file name (if you config WebKnight to do this).

d) Splunk imports the quote lines as one multiple event.

e) The date and time information is in two separate fields that can confuse spunk into thinking that each field couple is a field name and field combination.

0 Karma
Reply

hughroberts
Explorer
‎12-04-2013 01:32 PM

Here are the inputs, props and transforms for your set up. The inputs.conf goes onto the wherever your UniversalForwarder is installed. The others go on to the indexer/search, you need to put the stanzas to eliminate headers in place before you index the data, the field extractions are only applied at search time.

Tested on versions 5.0.3 and 5.0.5

Happy Splunking !

<< inputs.conf >>

[default]
host = WEBSERVER

[monitor://C:\webknight/App.*]
sourcetype=webknight
index=webknight-index
disabled=0

<< props.conf >>

[source::C:\webknight/App.*]
sourcetype=webknight

[webknight]
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE=false
REPORT-webknightextract = webknight_extractions
TRANSFORMS-t1=eliminate_header

<< transforms.conf >>

[webknight_extractions]
DELIMS=";"
FIELDS=WAFDate,WAFTime,WAFInst,WAFEvent,WAFIPA,WAFUser,WAFHost,WAFAgent,WAFAdditions1

[eliminate_header]
REGEX=^(?:#Software:|#Date:|#LogTime:|#Fields:)\s
DEST_KEY=queue
FORMAT=nullQueue

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...