Parsing custom syslog (semicolon delimeted)

LanMan6501 · ‎12-07-2011

I have a UDP syslog feed going into my Splunk box, but Splunk doesn't know what any of the fields are because it's a custom format.

The format is semicolon delimeted and has several fields that contain just a number. I tried to use the field extraction generator using regexs, but that only works for some of the fields.

I tried to configure splunk using the guidelines in this post, but ran into trouble.
http://splunk-base.splunk.com/answers/5539/splunk-field-extraction-csv

First, the files prop.conf and tranforms.conf didn't exist. I tried creating them based on that post. Also, the inputs.conf doesn't have a configuration for the syslog feed, yet it is definitely working in search.

Is there an elegant way to just tell splunk what the fields are like column headers and have it split automatically on the semicolons?

LanMan6501 · ‎12-07-2011

I found a props.conf in the apps/search folder that has my syslog entry in it. I tried tobuild this from there according to the post I mentioned earlier and I still don't have my fields.

My configuration is as follows:

inputs.conf:
[udp://6501]

connection_host = none

sourcetype = TippingPoint(Splunk)

source = TippingPoint (Combined)

index = main

disabled = 0

props.conf

[TippingPoint(Splunk)]

REPORT-TippingPoint(Splunk)extract = TippingPoint(Splunk)_extractions

KV_MODE = auto

transforms.conf:
[TippingPoint(Splunk)_extractions]

DELIMS = ";"

FIELDS="Timestamp","FilterName","ActionType","HitCount","SourceIP","SourcePort","DestIP","DestPort","Device","VLAN_Tag","Protocol"

Parsing custom syslog (semicolon delimeted)

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio