All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Dynatrace audit logs indexing problem

splunkreal
Motivator
‎08-14-2018 08:20 AM

Hello,

we try to index correctly SecAudit-BackendServer.1.log from Dynatrace however the non-encrypted log files have special characters just before the timestamp :

\x00\x00\x00\xEB\x00\x00\x002018-08-14T16:34:51.920+0200 user=toto,source=1.2.3.4,category=AuditLog,object=,event=Access,status=success,message="successfully read audit log /opt/dynatrace/dynatrace-7.0/log/server/SecAudit-FrontendServer.1.log"

in ssh:

alt text

How would you handle with TIME_PREFIX in props.conf?

Thanks.

* If this helps, please upvote or accept solution 🙂 *
Preview file
1 KB
0 Karma
Reply

sudosplunk
Motivator
‎08-14-2018 01:08 PM

Hi @realsplunk,

IMO, this should be handled by using LINE_BREAKER. Configure line breaking to discard all special characters before date, something like below

props.conf

[sourcetype]
LINE_BREAKER = ([\r\n]+^.+)\d{4}\-\d{2}\-\d{1,2} ## This will discard newline, carriage return characters along with encrypted text.
SHOULD_LINEMERGE = false
TIME_PREFIX = ^
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3N%z
Reply

splunkreal
Motivator
‎08-17-2018 07:50 AM

Hi Nittala_surya, I'm in contact with support because this doesn't work maybe bad characters impact so I'm testing SEDCMD to clean data first.

* If this helps, please upvote or accept solution 🙂 *
0 Karma
Reply

splunkreal
Motivator
‎08-14-2018 03:59 PM

Thanks, however as you can see there are special characters, how would you write regex with :

beginning with anything (risky?) until YYYY-MM-DD?

LINE_BREAKER = (^.+)\d{4}-\d{2}-\d{1,2} ?

https://regex101.com/r/6fN7JB/1

Thanks 🙂

* If this helps, please upvote or accept solution 🙂 *
0 Karma
Reply

sudosplunk
Motivator
‎08-15-2018 05:22 AM

Your LINE_BREAKING regex should also include \n-new line and \r-carriage return characters inside capturing group.

Per docs,

The LINE_BREAKER expression must contain a capturing group (a pair of parentheses that defines an identified subcomponent of the match.)

Wherever the expression matches, Splunk software considers the start of the first capturing group to be the end of the previous event, and considers the end of the first capturing group to be the start of the next event.

Splunk software discards the contents of the first capturing group. This content will not be present in any event, as Splunk software considers this text to come between lines.

That said, LINE_BREAKER = ([\r\n]+^.+)\d{4}\-\d{2}\-\d{1,2} will discard any special characters until YYYY-MM-DD.

https://regex101.com/r/6fN7JB/2

Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...