Okay, so I will answer my own question!
Here is my props.conf:
[csv-2]
TIME_PREFIX=^([^,]*,){4}
pulldown_type=1
NO_BINARY_CHECK=1
SHOULD_LINEMERGE=false
TIME_FORMAT=%Y%m%d%H%M
TZ=America/New_York
CHECK_FOR_HEADER = false
KV_MODE = none
PRIORITY = 101
TRANSFORMS-extract_host = extract_host
TRANSFORMS-AutoHeader-1 = AutoHeader-1
And here is my transforms.conf:
[AutoHeader-1]
DELIMS = ","
REGEX = (.*?):s+([0-9,]+)
MV_ADD = true
REPEAT_MATCH = TRUE
CLEAN_KEYS = true
FIELDS = "Username", "Log[On]/Log[Off]", "host", "IP Address", "Timestamp" "Domain"
[extract_host]
REGEX = ^([^,]*,){3}
FORMAT = host::$1
DEST_KEY = MetaData:Host
Remember that after making any changes, you need to:
1. Restart the services
2. Gather more data - the previously indexed data won't change. You need new events.
I'd like to know more about the MetaData: keys that I can map to.... Are there more known constructs in Splunk? This was the only one I found in the documentation...
... View more