I have a UDP syslog feed going into my Splunk box, but Splunk doesn't know what any of the fields are because it's a custom format.
The format is semicolon delimeted and has several fields that contain just a number. I tried to use the field extraction generator using regexs, but that only works for some of the fields.
I tried to configure splunk using the guidelines in this post, but ran into trouble.
http://splunk-base.splunk.com/answers/5539/splunk-field-extraction-csv
First, the files prop.conf and tranforms.conf didn't exist. I tried creating them based on that post. Also, the inputs.conf doesn't have a configuration for the syslog feed, yet it is definitely working in search.
Is there an elegant way to just tell splunk what the fields are like column headers and have it split automatically on the semicolons?
I found a props.conf in the apps/search folder that has my syslog entry in it. I tried tobuild this from there according to the post I mentioned earlier and I still don't have my fields.
My configuration is as follows:
inputs.conf:
[udp://6501]
connection_host = none
sourcetype = TippingPoint(Splunk)
source = TippingPoint (Combined)
index = main
disabled = 0
props.conf
[TippingPoint(Splunk)]
REPORT-TippingPoint(Splunk)extract = TippingPoint(Splunk)_extractions
KV_MODE = auto
transforms.conf:
[TippingPoint(Splunk)_extractions]
DELIMS = ";"
FIELDS="Timestamp","FilterName","ActionType","HitCount","SourceIP","SourcePort","DestIP","DestPort","Device","VLAN_Tag","Protocol"