Re: Splunk cannot find correct source log

lpolo · ‎04-25-2012

I have a set of log events that contain the following Key value pair "source" : "integer".
Therefore, splunk is reporting this field named source as source log. Example:

source (categorical)
Appears in 100% of results
Show only events with this field
Charts
Top values by timeTop values overall

Top 10 values   #   %    
4111    506 50,600% 
18324   506 50,600% 
4110    412 41,200% 
16141   412 41,200% 
7641    406 40,600% 
10002   50  5,000%  
10012   50  5,000%  
15152   50  5,000%  
10003   32  3,200%  
4115    20  2,000%

How can I correct this issue?

Thanks,
Lp

kristian_kolb · ‎04-25-2012

sorry, don't really understand. Does splunk rename your data to a new field name called source_log?

Or does the 'real' source data, e.g. '/var/log/secure' get overwritten with your values?

/k

sowings · ‎04-25-2012

For the sourcetype which contains these events, you'll want to create a props.conf stanza that uses a regular expression to extract this field, but with a different name. A possible example is below.

[my_sourcetype]
EXTRACT-mysource = source\s+\:\s+(?<source_num>\d+)

In this example, that integer would be captured in a field named source_num.

sowings · ‎04-25-2012

Can you provide some sample log events?

lpolo · ‎04-25-2012

That is the first thing I did but it did not work.

Thanks.

Splunk cannot find correct source log

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases