Getting Data In

Indexing a syslog file - doesnt give expected output

splunker12er
Motivator

Raw Logs:

Fri Mar 14 11:16:16 2014$SERVICEALERT$HOST1$SERVICE1$OK$PROCS OK: 1 process OK
Fri Mar 14 11:17:11 2014$HOSTALERT$HOST2$SERVICE2$WARNING$PROCS OK: 1 process WARNING 
Fri Mar 14 11:18:12 2014$HOSTEALERT$HOST3$SERVICE3$OK$PROCS OK: 1 process OK
Fri Mar 14 11:19:14 2014$SERVICEALERT$HOST4$SERVICE4$CRITICAL$PROCS OK: 1 process CRITICAL

I wanted to index the above _raw log with fields: "TIMESTAMP" ,"ALERTTYPE" ,"HOSTNAME" ,"SERVICENAME" ,"STATUS" ,"Description"

I set the props.conf & transforms.conf as below:

props.conf

[custom]
REPORT-search = extract_custom
SHOULD_LINEMERGE = false

transforms.conf

[custom]
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::custom

[extract_custom]
DELIMS = "$"
FIELDS = "TIMESTAMP"$"ALERTTYPE"$"HOSTNAME"$"SERVICENAME"$"STATUS"$"Description"

I couldn't get the exptected output , am i missing something?

0 Karma

splunker12er
Motivator

I got the answer:

I made a mistake in transforms.conf - Below is the corercted one. ',' and not '$'

[custom]
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::custom

[extract_custom]
DELIMS = "$"
FIELDS = "TIMESTAMP","ALERTTYPE","HOSTNAME","SERVICENAME","STATUS","Description"
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...